Russia-linked Cyclops Blink botnet targeting ASUS routers

The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers.

The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend Micro researchers.

The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices. According to WatchGuard, Cyclops Blink may have affected roughly 1% of all active WatchGuard firewall appliances.

In February, US and UK cybersecurity and law enforcement agencies published a joint security advisory about the Cyclops Blink bot that has been linked to the Russian-backed Sandworm APT group.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

Cyclops Blink is believed to be a replacement for the VPNFilter botnet, which was first exposed in 2018 and at the time was composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage.” reads the advisory published by TrendMicro. “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

Cyclops Blink is nation-state botnet with a modular architecture, it is written in the C language. Upon executing the core component, the malware first checks if its executable file name starts with “[k”. If it does not, it performs the following routine:

It redirects both stdout and stderr file descriptors to /dev/null.
It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals.
It reloads itself with a new “[ktest]” process name.

Then the bot waits for 37 seconds before it sets up its hard-coded parameters, including the hard-coded C2 servers and the interval that should be used to communicate with them.

For every hard-coded TCP port used to communicate with the C2 servers, the bot creates a rule in the Linux kernel firewall Netfilter.

Since June 2019, the malware indicted WatchGuard devices and Asus routers in many countries, including in the U.S., India, Italy, Canada, and Russia. Experts pointed out that these victims do not appear to be evidently valuable targets for either economic, military, or political espionage. Trend Micro observed that some of the live C&Cs are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.

Experts warn of an increase of IoT attacks on a global scale, making internet routers one of the primary targets.

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. The underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.” concludes the report. “In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable C&C servers for other bots. “

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cyclops Blink)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.