Threat Research

Cyclops Blink Sets Sights on Asus Routers

Securonix

Trend Micro analyzes Cyclops Blink, a modular botnet linked to Sandworm that targets ASUS routers (and WatchGuard Firebox devices) and lists more than 150 current and historical C2 servers. The report details the malware’s architecture, encryption, and persistence techniques, underscoring its sophistication and potential use as infrastructure for future high-value attacks. #CyclopsBlink #ASUS #WatchGuardFirebox #Sandworm #VPNFilter #OPCW

Keypoints

  • Cyclops Blink is a modular botnet reportedly tied to the Sandworm (Voodoo Bear) APT group and has targeted both WatchGuard Firebox and ASUS routers.
  • The Trend Micro analysis includes a variant that targets ASUS routers and a listing of over 150 C2 servers, intended to aid defenders in detection and remediation.
  • The malware uses a core component with modular initialization and inter-process communication via pipes, and it hard-codes C2 IPs and ports.
  • Encryption is performed with AES-256-CBC using a random key/IV and a hard-coded RSA-2560 public key, with data encrypted before sending to C2.
  • C2 communication begins with a TLS handshake to a randomly chosen C2 server on a hard-coded port and uses a four-byte packet size protocol to exchange data.
  • The ASUS module can read/write flash memory (/proc/mtd), enabling persistence that can survive factory resets and potentially brick parts of the device.
  • The malware targets a broad set of IoT devices and appears designed to build a broader infrastructure for future attacks, not only high-value targets.
  • Defensive guidance emphasizes strong authentication, restricting exposed services, VPN access, patching, and considering replacement of heavily compromised devices.

MITRE Techniques

  • [T1562.004] Impair Defenses: Modify Firewall – The malware creates and deletes firewall rules to control C2 traffic, using commands like ‘iptables -D OUTPUT -p tcp –dport %d -j ACCEPT’ and ‘iptables -I OUTPUT -p tcp –dport %d -j ACCEPT’.
  • [T1059.004] Unix Shell – The malware uses system() to execute Linux shell commands that alter firewall rules (e.g., iptables).
  • [T1071.001] Web Protocols: HTTPS – Data is transferred to C2 servers over TLS/HTTPS after a TLS handshake with a C2 server.
  • [T1082] System Information Discovery – The malware collects OS version, memory, storage, and key config files (uname, /etc/issue, /proc, etc.).
  • [T1027] Obfuscated/Encrypted Data – Data is encrypted with AES-256-CBC and a hard-coded RSA-2560 public key before transmission.
  • [T1041] Exfiltration Over C2 Channel – Encrypted data is sent to C2 servers via a TLS channel with a four-byte payload size protocol.
  • [T1059.004] Unix Shell – The 4-byte packet size workflow and IPC/child processes are orchestrated via shell and process controls described in the article (e.g., writing to the SSL socket with a four-byte size).

Indicators of Compromise

  • [IP] 8.8.8.8 – DNS resolution used for DNS over HTTPS in the malware’s DoH-related functionality.
  • [Port] 636, 989, 990, 994, 995, 3269, 8443 – Hard-coded C2 ports used during TLS communications.

Read more: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers–.html