S0687 Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.321
| Item | Value |
|---|---|
| ID | S0687 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 03 March 2022 |
| Last Modified | 14 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Cyclops Blink can download files via HTTP and HTTPS.31 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.004 | RC Scripts | Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.3 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.3 |
| enterprise | T1005 | Data from Local System | Cyclops Blink can upload files from a compromised host.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Cyclops Blink can decrypt and parse instructions sent from C2.3 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Cyclops Blink has the ability to upload exfiltrated files to a C2 server.3 |
| enterprise | T1083 | File and Directory Discovery | Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.31 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | Cyclops Blink can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers.31 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | Cyclops Blink has the ability to use the Linux API function utime to change the timestamps of modified firmware update images.3 |
| enterprise | T1105 | Ingress Tool Transfer | Cyclops Blink has the ability to download files to target systems.31 |
| enterprise | T1559 | Inter-Process Communication | Cyclops Blink has the ability to create a pipe to enable inter-process communication.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.3 |
| enterprise | T1106 | Native API | Cyclops Blink can use various Linux API functions including those for execution and discovery.3 |
| enterprise | T1571 | Non-Standard Port | Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.3 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.002 | Component Firmware | Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.3 |
| enterprise | T1057 | Process Discovery | Cyclops Blink can enumerate the process it is currently running under.3 |
| enterprise | T1572 | Protocol Tunneling | Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Cyclops Blink has used Tor nodes for C2 traffic.2 |
| enterprise | T1082 | System Information Discovery | Cyclops Blink has the ability to query device information.3 |
| enterprise | T1016 | System Network Configuration Discovery | Cyclops Blink can use the Linux API if_nameindex to gather network interface names.31 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 21 |
References
-
Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022. ↩↩↩↩↩↩↩↩↩
-
NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022. ↩↩↩
-
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩