Sandworm Team New Malware, Cyclops Blink

Industry: N/A | Level: Tactical | Source: NCSC

The National Cyber Security Centre (NCSC) reports a new Linux malware, Cyclops Blink is being attributed to the Russian threat group, Sandworm Team. The malware is associated with a large-scale botnet that has been active since June 2019, targeting Small Office/Home Office (SOHO) network devices. The malware possesses a modular framework with capabilities to "download/upload files, extract device information, and update the malware have been built-in and are executed at startup." The malware runs as, "a process named [kworker:0/1]," gathers system information at regular intervals and persists on the system through a firmware update. Lastly, for command and control Cyclops Blink leverages, "OpenSSL (version 1.0.1f) to support C2 communication underneath TLS. Each time the malware beacons it randomly selects a destination from the current list of C2 server IPv4 addresses and hard-coded list of C2 ports."

• Anvilogic Use Cases:
• Common Reconnaissance Commands
• File Download