Cyclops Blink malware has infected ASUS routers in what Trend Micro threat researchers say looks like an attempt to turn infected devices into command-and-control servers for future attacks.
ASUS says it’s working on a remediation for Cyclops Blink and will post software updates as they become available. The hardware maker also recommends users either install the latest firmware on their devices or disable remote access from the WAN and reset the routers to default settings to avoid being compromised.
The new modular botnet has ties to Kremlin-backed Sandworm, the criminal group behind the nasty VPNFilter malware in 2018 that targeted routers and storage devices, as well as several high-profile attacks including the 2015 and 2016 attacks on Ukraine’s electrical grid, NotPetya in 2017 and the French presidential campaign email leak that same year.
Trend Micro’s warning follows a joint advisory last month from the FBI, CISA, the US Department of Justice and the UK National Cyber Security Centre about Cyclops Blink, which the federal agencies said looked to be Sandworm’s replacement for VPNFilter. At the time, the botnet had its sights set on WatchGuard firewall appliances.
“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage,” Trend Micro said. “Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”
And while Cyclops Blink has infected routers from these two hardware providers, “we have evidence that the routers of at least one vendor other than Asus and WatchGuard are connecting to Cyclops Blink C&Cs as well, but so far we have been unable to collect malware samples for this router brand,” the security shop said.
According to Trend Micro’s Cyclops Blink analysis, the modular botnet, written in the C language, first checks to see if its executable file name starts with “[k”.
If it does not, it proceeds to take these three steps:
Next, it waits for 37 seconds and then sets up the hard-coded command-and-control servers along with the intervals used to communicate with them.
Additionally, the botnet creates a pipe for inter-process communication. It does this “by calling the pipe() function for getting two file descriptors for reading and writing data,” according to Trend Micro. “It also enables non-blocking I/O for the writing file descriptor by using ioctl().”
Then it creates a new data packet in memory and begins communicating with the C2 server. ®