CyclopsBlink (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

elf.cyclops_blink (Back to overview)

CyclopsBlink

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

References

2022-04-15 ⋅ splunk ⋅ Splunk Threat Research Team
STRT-TA03 CPE - Destructive Software
AcidRain CyclopsBlink

2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
CISA warns orgs of WatchGuard bug exploited by Russian state hackers
CyclopsBlink

2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-04-06 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
US disrupts Russian Cyclops Blink botnet before being used in attacks
CyclopsBlink

2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice
Attorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian Criminal Activity (video)
CyclopsBlink

2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice
EDCA Search Warrant Package (CyclopsBlink)
CyclopsBlink

2022-04-06 ⋅ US Department of Justice ⋅ Department of Justice
Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)
CyclopsBlink

2022-03-21 ⋅ Github (trendmicro) ⋅ Trend Micro Research
Python script to check a Cyclops Blink C&C
CyclopsBlink

2022-03-18 ⋅ The Register ⋅ Jessica Lyons Hardcastle
Cyclops Blink malware sets up shop in ASUS routers
CyclopsBlink

2022-03-17 ⋅ Trendmicro ⋅ Feike Hacquebord, Fernando Mercês, Stephen Hilt
Cyclops Blink Sets Sights on Asus Routers
CyclopsBlink

2022-03-17 ⋅ Trendmicro ⋅ Feike Hacquebord, Fernando Mercês, Stephen Hilt
Cyclops Blink Sets Sights on Asus Routers (Appendix)
CyclopsBlink

2022-03-17 ⋅ Bleeping Computer ⋅ Bill Toulas
ASUS warns of Cyclops Blink malware attacks targeting routers
CyclopsBlink

2022-02-23 ⋅ CISA ⋅ CISA
Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter
CyclopsBlink VPNFilter

2022-02-23 ⋅ The Shadowserver Foundation ⋅ Shadowserver Foundation
Shadowserver Special Reports – Cyclops Blink
CyclopsBlink

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm

Yara Rules

[TLP:WHITE] elf_cyclops_blink_w0 (20220316 | Detects notable strings identified within the Cyclops Blink executable)

rule elf_cyclops_blink_w0 {
   meta:
      author = "NCSC"
      description = "Detects notable strings identified within the Cyclops Blink executable"
      hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
      hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
      reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
      date = "2022-02-23"
      malpedia_rule_date = "20220316"
      malpedia_hash = ""
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink"
      malpedia_version = "20220316"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      // Process names masqueraded by implant
      $proc_name1 = "[kworker/0:1]"
      $proc_name2 = "[kworker/1:1]"
      // DNS query over SSL, used to resolve C2 server address
      $dns_query = "POST /dns-query HTTP/1.1\x0d\x0aHost: dns.google\x0d\x0a"
      // iptables commands
      $iptables1 = "iptables -I %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      $iptables2 = "iptables -D %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      // Format strings used for system recon
      $sys_recon1 = "{\"ver\":\"%x\",\"mods\";["
      $sys_recon2 = "uptime: %lu mem_size: %lu mem_free: %lu"
      $sys_recon3 = "disk_size: %lu disk_free: %lu"
      $sys_recon4 = "hw: %02x:%02x:%02x:%02x:%02x:%02x"
      // Format string for filepath used to test access to device filesystem
      $testpath = "%s/214688dsf46"
      // Format string for implant configuration filepath
      $confpath = "%s/rootfs_cfg"
      // Default file download path
      $downpath = "/var/tmp/a.tmp"
   condition:
      (uint32(0) == 0x464c457f) and (8 of them)
}

Download all Yara Rules

CyclopsBlink Propose Change

References

Yara Rules

CyclopsBlink