SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.cyclops_blink (Back to overview)

CyclopsBlink


According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

References
2022-04-15splunkSplunk Threat Research Team
@online{team:20220415:strtta03:9292c09, author = {Splunk Threat Research Team}, title = {{STRT-TA03 CPE - Destructive Software}}, date = {2022-04-15}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html}, language = {English}, urldate = {2022-04-29} } STRT-TA03 CPE - Destructive Software
AcidRain CyclopsBlink
2022-04-11Bleeping ComputerSergiu Gatlan
@online{gatlan:20220411:cisa:3a96fe3, author = {Sergiu Gatlan}, title = {{CISA warns orgs of WatchGuard bug exploited by Russian state hackers}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/}, language = {English}, urldate = {2022-05-04} } CISA warns orgs of WatchGuard bug exploited by Russian state hackers
CyclopsBlink
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-06US Department of JusticeDepartment of Justice
@online{justice:20220406:attorney:9b39115, author = {Department of Justice}, title = {{Attorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian Criminal Activity (video)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute}, language = {English}, urldate = {2022-05-05} } Attorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian Criminal Activity (video)
CyclopsBlink
2022-04-06Bleeping ComputerSergiu Gatlan
@online{gatlan:20220406:us:25e5e8b, author = {Sergiu Gatlan}, title = {{US disrupts Russian Cyclops Blink botnet before being used in attacks}}, date = {2022-04-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/}, language = {English}, urldate = {2022-04-07} } US disrupts Russian Cyclops Blink botnet before being used in attacks
CyclopsBlink
2022-04-06US Department of JusticeDepartment of Justice
@online{justice:20220406:justice:69ca499, author = {Department of Justice}, title = {{Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation}, language = {English}, urldate = {2022-05-05} } Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)
CyclopsBlink
2022-04-06US Department of JusticeDepartment of Justice
@online{justice:20220406:edca:290419e, author = {Department of Justice}, title = {{EDCA Search Warrant Package (CyclopsBlink)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1491281/download}, language = {English}, urldate = {2022-05-05} } EDCA Search Warrant Package (CyclopsBlink)
CyclopsBlink
2022-03-21Github (trendmicro)Trend Micro Research
@online{research:20220321:python:7dbe8dd, author = {Trend Micro Research}, title = {{Python script to check a Cyclops Blink C&C}}, date = {2022-03-21}, organization = {Github (trendmicro)}, url = {https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py}, language = {English}, urldate = {2022-03-28} } Python script to check a Cyclops Blink C&C
CyclopsBlink
2022-03-18The RegisterJessica Lyons Hardcastle
@online{hardcastle:20220318:cyclops:5a6072d, author = {Jessica Lyons Hardcastle}, title = {{Cyclops Blink malware sets up shop in ASUS routers}}, date = {2022-03-18}, organization = {The Register}, url = {https://www.theregister.com/2022/03/18/cyclops_asus_routers/}, language = {English}, urldate = {2022-03-22} } Cyclops Blink malware sets up shop in ASUS routers
CyclopsBlink
2022-03-17TrendmicroFeike Hacquebord, Stephen Hilt, Fernando Mercês
@online{hacquebord:20220317:cyclops:14c374f, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês}, title = {{Cyclops Blink Sets Sights on Asus Routers}}, date = {2022-03-17}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html}, language = {English}, urldate = {2022-03-17} } Cyclops Blink Sets Sights on Asus Routers
CyclopsBlink
2022-03-17TrendmicroFeike Hacquebord, Stephen Hilt, Fernando Mercês
@techreport{hacquebord:20220317:cyclops:dea832b, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês}, title = {{Cyclops Blink Sets Sights on Asus Routers (Appendix)}}, date = {2022-03-17}, institution = {Trendmicro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf}, language = {English}, urldate = {2022-03-17} } Cyclops Blink Sets Sights on Asus Routers (Appendix)
CyclopsBlink
2022-03-17Bleeping ComputerBill Toulas
@online{toulas:20220317:asus:8db90f6, author = {Bill Toulas}, title = {{ASUS warns of Cyclops Blink malware attacks targeting routers}}, date = {2022-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/}, language = {English}, urldate = {2022-03-22} } ASUS warns of Cyclops Blink malware attacks targeting routers
CyclopsBlink
2022-02-23The Shadowserver FoundationShadowserver Foundation
@online{foundation:20220223:shadowserver:39a0ab3, author = {Shadowserver Foundation}, title = {{Shadowserver Special Reports – Cyclops Blink}}, date = {2022-02-23}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/}, language = {English}, urldate = {2022-05-05} } Shadowserver Special Reports – Cyclops Blink
CyclopsBlink
2022-02-23CISACISA
@online{cisa:20220223:alert:3e2924e, author = {CISA}, title = {{Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter}}, date = {2022-02-23}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-054a}, language = {English}, urldate = {2022-02-26} } Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter
CyclopsBlink VPNFilter
Yara Rules
[TLP:WHITE] elf_cyclops_blink_w0 (20220316 | Detects notable strings identified within the Cyclops Blink executable)
rule elf_cyclops_blink_w0 {
   meta:
      author = "NCSC"
      description = "Detects notable strings identified within the Cyclops Blink executable"
      hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
      hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
      reference = "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
      date = "2022-02-23"
      malpedia_rule_date = "20220316"
      malpedia_hash = ""
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink"
      malpedia_version = "20220316"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      // Process names masqueraded by implant
      $proc_name1 = "[kworker/0:1]"
      $proc_name2 = "[kworker/1:1]"
      // DNS query over SSL, used to resolve C2 server address
      $dns_query = "POST /dns-query HTTP/1.1\x0d\x0aHost: dns.google\x0d\x0a"
      // iptables commands
      $iptables1 = "iptables -I %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      $iptables2 = "iptables -D %s -p tcp --dport %d -j ACCEPT &>/dev/null"
      // Format strings used for system recon
      $sys_recon1 = "{\"ver\":\"%x\",\"mods\";["
      $sys_recon2 = "uptime: %lu mem_size: %lu mem_free: %lu"
      $sys_recon3 = "disk_size: %lu disk_free: %lu"
      $sys_recon4 = "hw: %02x:%02x:%02x:%02x:%02x:%02x"
      // Format string for filepath used to test access to device filesystem
      $testpath = "%s/214688dsf46"
      // Format string for implant configuration filepath
      $confpath = "%s/rootfs_cfg"
      // Default file download path
      $downpath = "/var/tmp/a.tmp"
   condition:
      (uint32(0) == 0x464c457f) and (8 of them)
}
Download all Yara Rules