Russia-linked Cyclops Blink botnet targeting ASUS routers

The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers.

The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend Micro researchers.

The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices. According to WatchGuard, Cyclops Blink may have affected roughly 1% of all active WatchGuard firewall appliances.

In February, US and UK cybersecurity and law enforcement agencies published a joint security advisory about the Cyclops Blink bot that has been linked to the Russian-backed Sandworm APT group.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage.” reads the advisory published by TrendMicro. “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

Cyclops Blink is nation-state botnet with a modular architecture, it is written in the C language. Upon executing the core component, the malware first checks if its executable file name starts with “[k”. If it does not, it performs the following routine: 

1. It redirects both stdout and stderr file descriptors to /dev/null.
2. It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals.
3. It reloads itself with a new “[ktest]” process name.

Then the bot waits for 37 seconds before it sets up its hard-coded parameters, including the hard-coded C2 servers and the interval that should be used to communicate with them. 

For every hard-coded TCP port used to communicate with the C2 servers, the bot creates a rule in the Linux kernel firewall Netfilter.

Since June 2019, the malware indicted WatchGuard devices and Asus routers in many countries, including in the U.S., India, Italy, Canada, and Russia. Experts pointed out that these victims do not appear to be evidently valuable targets for either economic, military, or political espionage. Trend Micro observed that some of the live C&Cs are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States. 

Experts warn of an increase of IoT attacks on a global scale, making internet routers one of the primary targets.

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. The underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.” concludes the report. “In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable C&C servers for other bots. “

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cyclops Blink)

[adrotate banner=”5″]

[adrotate banner=”13″]