The Russian-speaking APT behind the NotPetya attacks and the Ukrainian power grid takedown could be setting up for additional sinister attacks, researchers said.

The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the NotPetya wiper attacks, is expanding its device targeting to include ASUS routers.

Further, it’s likely that the botnet’s purpose is far more sinister than the average Mirai-knockoff’s penchant for distributed denial-of-service (DDoS) attacks.

That’s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that’s out of step with typical APT behavior, researchers said that it’s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.

, Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet, The Cyber Post

“It should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,” according to the firm’s analysis. “For example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.”

Cyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a February analysis (PDF) performed by the UK’s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor’s devices.

“Our research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,” researchers said. “Our investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.”

A Sinister Purpose?

Cyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro – the same group that’s been linked to a host of very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.

“Sandworm was also responsible for…the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, the 2017 French presidential campaign, the 2018 Olympic Destroyer attack on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),” researchers noted in a Thursday analysis.

Internet routers have been a favorite target for building out botnets for many years, thanks to “infrequency of patching, the lack of security software and the limited visibility of defenders” when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink’s case, the motives are less obvious.

“The purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,” researchers said. “But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.”

In fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.

It is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.

“The more routers are compromised, the more sources of powerful data collection — and avenues for further attacks — become available to attackers,” according to the analysis, which raised the specter of “eternal botnets.”

“Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,” researchers warned. “The underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.”

Given Sandworm’s track record, it’s wise to expect the worst, the firm noted.

“Sandworm’s previous high-profile victims and their attacks’ substantial impact on these organizations are particularly worrying — even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,” researchers said.

A Few Technical Specifics on a New Botnet Variant

Coded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.

Once it’s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.

“Communication with the modules is performed via pipes,” according to Trend Micro. “For each hard-coded module, the malware creates two pipes before executing them in their own child processes.”

The malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.

“The data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,” according to the analysis. “The C2 server must have the corresponding RSA private key to decrypt the data.”

Researchers added, “To send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.”

Initially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.

If a command targets the core component, it can be one of the following:

  • Terminate the program
  • Bypass the data-sending interval and send data to C2 servers immediately
  • Add a new C2 server to the list in memory
  • Set time to send the next packet to the C2 server
  • Set time to send the next packet to the C2 server
  • Add a new module (an ELF file should be received following the command)
  • Reload the malware
  • Set the local IP address parameter
  • Set a new worker ID
  • Set an unknown byte value
  • Resend configuration to all running modules

As for the commands meant for the modules, the latest variant studied by Trend Micro now includes “Asus (0x38),” meant to activate a brand-new module built to infect ASUS routers.

Targeting ASUS Routers

The ASUS module is built to access and replace a router’s flash memory, thus enslaving it to the botnet, researchers explained.

“This module can read and write from the devices’ flash memory,” they said. “The flash memory is used by these devices to store the operating system, configuration and all files from the file system.”

Cyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.

“As the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,” researchers explained.

A second module, straightforwardly called “system reconnaissance (0x08),” is responsible for gathering various data from the infected device and sending it to the C2 server.

Specifically, it harvests:

  • The Linux version of the device
  • Information about the device’s memory consumption
  • The SSD storage information
  • The content of the following files:
    • /etc/passwd
    • /etc/group
    • /proc/mounts
    • /proc/partitions
  • Information about network interfaces

A third module, “file download (0x0f),” can download files from the internet using DNS over HTTPS (DoH).

Trend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm’s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.

“We have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,” according to the analysis. “Based on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.”

How to Defend Against Becoming a Botnet Victim

Like with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on.  Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.

If an organization’s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware’s prodigious persistence capabilities.

“It is best to get a new router,” they explained. “Performing a factory reset might blank out an organization’s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.