Thursday, February 24, 2022

Modular malware framework targeting SOHO network devices

Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture. 

  •     Persistence is maintained throughout the legitimate device firmware update process. 
  •     Implements a modular framework consisting of a core component and additional modules that are executed as child processes. 
  •         Modules to download/upload files, extract device information, and update the malware have been built-in and are executed at startup. 
  •         Command and control (C2) communication uses a custom binary protocol underneath TLS, and messages are individually encrypted. 

Introduction Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture. NCSC, FBI, CISA, NSA and industry analysis has associated it with a large-scale botnet targeting Small Office/Home Office (SOHO) network devices. This botnet has been active since at least June 2019, affecting WatchGuard Firebox and possibly other SOHO network devices. This report covers the analysis of two samples recently acquired by the FBI from WatchGuard Firebox devices known to have been incorporated into the botnet.

Read the full repost here