SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.cyclops_blink (Back to overview)

CyclopsBlink

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

References
2022-04-15splunkSplunk Threat Research Team
STRT-TA03 CPE - Destructive Software
AcidRain CyclopsBlink
2022-04-11Bleeping ComputerSergiu Gatlan
CISA warns orgs of WatchGuard bug exploited by Russian state hackers
CyclopsBlink
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-06Bleeping ComputerSergiu Gatlan
US disrupts Russian Cyclops Blink botnet before being used in attacks
CyclopsBlink
2022-04-06US Department of JusticeDepartment of Justice
Attorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian Criminal Activity (video)
CyclopsBlink
2022-04-06US Department of JusticeDepartment of Justice
EDCA Search Warrant Package (CyclopsBlink)
CyclopsBlink
2022-04-06US Department of JusticeDepartment of Justice
Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)
CyclopsBlink
2022-03-21Github (trendmicro)Trend Micro Research
Python script to check a Cyclops Blink C&C
CyclopsBlink
2022-03-18The RegisterJessica Lyons Hardcastle
Cyclops Blink malware sets up shop in ASUS routers
CyclopsBlink
2022-03-17TrendmicroFeike Hacquebord, Fernando Mercês, Stephen Hilt
Cyclops Blink Sets Sights on Asus Routers
CyclopsBlink
2022-03-17TrendmicroFeike Hacquebord, Fernando Mercês, Stephen Hilt
Cyclops Blink Sets Sights on Asus Routers (Appendix)
CyclopsBlink
2022-03-17Bleeping ComputerBill Toulas
ASUS warns of Cyclops Blink malware attacks targeting routers
CyclopsBlink
2022-02-23CISACISA
Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter
CyclopsBlink VPNFilter
2022-02-23The Shadowserver FoundationShadowserver Foundation
Shadowserver Special Reports – Cyclops Blink
CyclopsBlink
2017-05-31MITREMITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
Yara Rules
[TLP:WHITE] elf_cyclops_blink_w0 (20220316 | Detects notable strings identified within the Cyclops Blink executable)
rule elf_cyclops_blink_w0 {
   meta:
      author = "NCSC"
      description = "Detects notable strings identified within the Cyclops Blink executable"
      hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
      hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
      reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
      date = "2022-02-23"
      malpedia_rule_date = "20220316"
      malpedia_hash = ""
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink"
      malpedia_version = "20220316"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      // Process names masqueraded by implant
      $proc_name1 = "[kworker/0:1]"
      $proc_name2 = "[kworker/1:1]"
      // DNS query over SSL, used to resolve C2 server address
      $dns_query = "POST /dns-query HTTP/1.1\x0d\x0aHost: dns.google\x0d\x0a"
      // iptables commands
      $iptables1 = "iptables -I %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      $iptables2 = "iptables -D %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      // Format strings used for system recon
      $sys_recon1 = "{\"ver\":\"%x\",\"mods\";["
      $sys_recon2 = "uptime: %lu mem_size: %lu mem_free: %lu"
      $sys_recon3 = "disk_size: %lu disk_free: %lu"
      $sys_recon4 = "hw: %02x:%02x:%02x:%02x:%02x:%02x"
      // Format string for filepath used to test access to device filesystem
      $testpath = "%s/214688dsf46"
      // Format string for implant configuration filepath
      $confpath = "%s/rootfs_cfg"
      // Default file download path
      $downpath = "/var/tmp/a.tmp"
   condition:
      (uint32(0) == 0x464c457f) and (8 of them)
}
Download all Yara Rules