The Cyclops Blink Botnet
A new report by Trend Micro has revealed that the Cyclops Blink botnet is targeting ASUS routers.
According to the research, the complex modular botnet, which is written in the C programming language, affects a variety of ASUS router models. The company has informed that it is working on a patch to address any potential exploitation.
Beyond utilizing OpenSSL to encrypt communications with its command and control (C2) servers, Cyclops Blink incorporates specialized modules that can read and write from the devices’ flash memory, allowing it to gain persistence and to withstand factory resets.
A second reconnaissance module acts as a conduit for exfiltrating information from the compromised device back to the C2 server, while a file download component is in charge of collecting arbitrary payloads, which can be retrieved either via HTTP or HTTPS, depending on the configuration.
Trend Micro has warned that the active incorporation of Internet of Things devices and routers, which have become a profitable attack surface as a result of infrequent patching and the absence of security software, might result in the establishment of “eternal botnets.”
Researchers explained that after an IoT device has been infected with malware, an attacker will have unrestricted internet access, which will allow him or her to download and deploy other stages of malware for reconnaissance, espionage, proxying, or whatever else the attacker desires.
Cyclops Blink is a nascent botnet, the main purpose of which is to create an infrastructure for future attacks on high-value targets. Last month, this threat was reported abusing WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks.
Since June 2019, the malware has been reported to have affected WatchGuard devices and Asus routers in the United States, India, Italy, Canada, and Russia, among other countries. There are hosts from a law office in Europe, a medium-sized corporation providing medical equipment for dentists in Southern Europe, and a plumbing company in the United States that have been infected with the virus.
Several intelligence organizations, including the United Kingdom and the United States, have identified Cyclops Blink as a replacement framework for VPNFilter, another malware family that has taken advantage of network devices, primarily small and home office (SOHO) routers and network-attached storage (NAS) devices. Given that none of the infected hosts belong to critical organizations, or those that have an obvious value on economic, political, or military espionage, everything points to the fact that the malware is simply building the ground for a further attack actions.
Both Cyclops Blink and VPNFilter have been linked to Sandworm (also known as Voodoo Bear). Sandworm is a Russian state-sponsored actor who has been linked to a number of high-profile intrusions, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.