With additional insights from Philippe Z Lin
Cyclops Blink, an advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group, has recently been used to target WatchGuard Firebox devices according to an analysis performed by the UK's National Cyber Security Centre (NCSC). We acquired a variant of the Cyclops Blink malware family that targets Asus routers. This report discusses the technical capabilities of this Cyclops Blink malware variant and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet. This list aims to aid cybersecurity defenders in searching for affected devices in their networks and starting the remediation process.
Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage. Hence, we believe that it is possible that the Cyclops Blink botnet's main purpose is to build an infrastructure for further attacks on high-value targets. Cyclops Blink has been around since at least June 2019, and a considerable number of its C&C servers and bots are active for up to about three years.
The Sandworm APT group has been attributed as creating both Cyclops Blink and the VPNFilter internet of things (IoT) botnet. VPNFilter, first discovered in 2018, targeted router and storage devices. It was also reported to have infected hundreds of thousands of devices. In 2021, Trend Micro published a technical analysis of VPNFilter, which includes a discussion of how the botnet continues to affect infected systems two years after its discovery. Sandworm was also responsible for many high-profile attacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, the 2017 French presidential campaign, the 2018 Olympic Destroyer attack on the Winter Olympic Games, and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW).
Cyclops Blink malware analysis
Cyclops Blink is a modular malware written in the C language. In its core component, the first thing that the malware does is to check if its executable file name starts with "[k". If it does not, it performs the following routine:
It then waits for 37 seconds before it sets up its hard-coded parameters. These include the hard-coded C&C servers and the interval that should be used to communicate with the C&C servers.
It also creates a pipe for inter-process communication (IPC) by calling the pipe() function for getting two file descriptors for reading and writing data. It also enables non-blocking I/O for the writing file descriptor by using ioctl().
After this, a new data packet will be created in memory, which will then be sent to a C&C server. The details of this communication are covered later in this analysis.
For every hard-coded TCP port used to communicate with the C&C servers, the malware creates a rule in Netfilter - the Linux kernel firewall - using the iptc_insert_entry() function from libiptc1 to allow output communication to it. The rules have the following parameters:
Destination ports: 636, 994, and 995
For an unknown reason, the malware deletes the aforementioned rules and creates them again, this time using the iptables command via the system() function. The commands are as follows:
iptables -D OUTPUT -p tcp --dport %d -j ACCEPTiptables -I OUTPUT -p tcp --dport %d -j ACCEPT
The OpenSSL library is then initialized, and the core component proceeds to initialize the hard-coded modules.
During this part, the core component initializes the modules. Communication with the modules is performed via pipes. For each hard-coded module, the malware creates two pipes before executing them in their own child processes.