A glimpse into the Quad7 operators' next moves and associated botnets
Tags
country: Morocco
maec-delivery-vectors: Watering Hole
attack-pattern: Data Botnet - T1583.005 Botnet - T1584.005 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Vulnerabilities - T1588.006 Brute Force - T1110 Connection Proxy - T1090
Show in Graph
Common Information
Type Value
UUID 7be329a6-3a7c-42ff-8822-863fc0bd7627
Fingerprint a78582549c9b25d9
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 9, 2024, 12:30 p.m.
Added to db Sept. 9, 2024, 4:12 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline A glimpse into the Quad7 operators’ next moves and associated botnets
Title A glimpse into the Quad7 operators' next moves and associated botnets
Detected Hints/Tags/Attributes 87/3/38
Source URLs
Redirection Url
Details Source https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/
URL Provider
Details Provider Source level domain
Details sekoia.io blog.sekoia.io
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 59 Sekoia.io Blog https://blog.sekoia.io/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
exec.sh
Details Domain 118 
sekoia.io
Details Email 18 
tdr@sekoia.io
Details File 1 
fsy.bin
Details File 1 
fsy.tar
Details File 1 
netd.dat
Details File 13 
sys.dat
Details md5 2 
408152285671bbd0e6e63bd71d6abaaf
Details md5 2 
5efc7d824851be9ec90a97d889a40d23
Details md5 2 
f42849076e24b7827218f7a25bc11ccc
Details md5 2 
92093dd7ba6ae8fe34a215c4c4bd1cd4
Details md5 2 
e6f6a6de285d7c2361c32b1f29a6c3f6
Details md5 2 
b3b09819f820a4ecd31f82f369000af2
Details md5 2 
3c4b3d1480952d6ddfe434fef07054f7
Details md5 2 
cdb37db4543dde5ca2bd98a43699828f
Details md5 2 
22633ef920f0093e3d720e7bbeb9fec8
Details md5 2 
d617f43163cb0f355dbf63058aa82d1d
Details md5 2 
150d444848a02be230ed9fbf3692d226
Details md5 2 
43ea387b8294cc4d0baaef6d26ff7c72
Details md5 2 
4d9067e7cf517158337123a30a9bd0e3
Details md5 2 
8542a3cbe232fe78baa0882736c61926
Details md5 2 
777d6f907da38365924a0c2a12e973c5
Details md5 2 
470c6ee61b4314721a8cc9ebafe8fef8
Details md5 2 
1b08725acc371f6b7d05bb72d0c2d759
Details md5 2 
40b5ac87ff87634c48fdd2cf64ccb66b
Details md5 2 
199045538d9c139f9cf562d5b76a5cd5
Details md5 2 
4b8e97260d9ef6ca774675be682d9c8c
Details md5 2 
5b0a28631ca106c31e1d5e81d8e25297
Details IPv4 1 
158.247.194.125
Details IPv4 1 
45.77.44.119
Details IPv4 1 
151.236.20.30
Details IPv4 1 
103.140.239.63
Details IPv4 1 
103.57.248.202
Details Threat Actor Identifier - APT 783 
APT28
Details Yara rule 1 
rule unk_Quad7_UPDTAE_backdoor_strings {
	meta:
		id = "02d5394e-734c-4744-b293-1bf96bf1518c"
		version = "1.0"
		malware = "UPDTAE backdoor"
		intrusion_set = "Quad7 Botnet operators"
		description = "UPDTAE backdoor used by Quad7 operators"
		source = "Sekoia.io"
		creation_date = "2024-08-19"
		classification = "TLP:GREEN"
		hash = "40b5ac87ff87634c48fdd2cf64ccb66b"
		hash = "4b8e97260d9ef6ca774675be682d9c8c"
	strings:
		$ = "User-Agent: IOT"
		$ = "/iot/post"
		$ = "vender"
		$ = "Response:  %s"
		$ = "cmdNum"
		$ = "UPDTAE"
		$ = "cmdResult"
	condition:
		uint32be(0) == 0x7f454c46 and filesize < 5MB and 4 of them
}
Details Yara rule 1 
rule unk_Quad7_wildcard_login {
	meta:
		id = "01510244-0795-4299-aa66-056a2b4682e7"
		version = "1.0"
		intrusion_set = "Quad7 Botnet operators"
		malware = "xlogin"
		description = "Detects the *login bind shells"
		source = "Sekoia.io"
		creation_date = "2024-07-18"
		classification = "TLP:CLEAR"
		hash = "4d9067e7cf517158337123a30a9bd0e3"
		hash = "43ea387b8294cc4d0baaef6d26ff7c72"
		hash = "777d6f907da38365924a0c2a12e973c5"
		hash = "8542a3cbe232fe78baa0882736c61926"
	strings:
		$string1 = { 2F 62 69 6E 2F 73 68 00 2F 74 6D 70 2F 6C 6F 67 69 6E }
		$string2 = { 2F 62 69 6E 2F 73 68 00 2D 63 00 65 78 69 74 20 30 }
	condition:
		uint32be(0) == 0x7f454c46 and filesize < 180KB and @string2 - @string1 < 3400
}
Details Yara rule 1 
rule unk_Quad7_FsyNet_strings {
	meta:
		id = "897b2421-c177-48c0-8f5b-82d8434208cb"
		version = "1.0"
		malware = "FsyNet"
		intrusion_set = "Quad7 Botnet operators"
		description = "Matches node-r-control, asr_node, node-relay"
		source = "Sekoia.io"
		creation_date = "2024-08-20"
		classification = "TLP:GREEN"
		hash = "f42849076e24b7827218f7a25bc11ccc"
		hash = "b3b09819f820a4ecd31f82f369000af2"
		hash = "92093dd7ba6ae8fe34a215c4c4bd1cd4"
		hash = "e6f6a6de285d7c2361c32b1f29a6c3f6"
		hash = "408152285671bbd0e6e63bd71d6abaaf"
		hash = "5efc7d824851be9ec90a97d889a40d23"
	strings:
		$ = "prev_hop_port"
		$ = "next_hop_port"
		$ = "back_hop_port"
		$ = "next_tsn_port"
		$ = "prev_hop_ip"
		$ = "next_hop_ip"
		$ = "back_hop_ip"
		$ = "next_tsn_ip"
		$ = "ikcp_"
		$ = "/tmp/log_r"
		$ = "total_hop"
	condition:
		uint32be(0) == 0x7f454c46 and filesize < 5MB and 6 of them
}
Details Yara rule 1 
rule unk_Quad7_netd_strings {
	meta:
		id = "3f527f0e-c101-4356-9024-fc61aea644d1"
		version = "1.0"
		malware = "netd"
		intrusion_set = "Quad7 Botnet operators"
		description = "Matches netd binary"
		source = "Sekoia.io"
		creation_date = "2024-08-23"
		classification = "TLP:GREEN"
		hash = "cdb37db4543dde5ca2bd98a43699828f"
		hash = "22633ef920f0093e3d720e7bbeb9fec8"
	strings:
		$ = "./netd.dat"
		$ = "./sys.dat"
		$ = "--conf"
		$ = "--init"
		$ = "--nobg"
		$ = "Url is NULL."
	condition:
		uint32be(0) == 0x7f454c46 and filesize < 1MB and 4 of them
}