Modular malware framework targeting SOHO network devices

Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture. 

  •     Persistence is maintained throughout the legitimate device firmware update process. 
  •     Implements a modular framework consisting of a core component and additional modules that
    are executed as child processes. 
  •         Modules to download/upload files, extract device information, and update the malware have
    been built-in and are executed at startup. 
  •         Command and control (C2) communication uses a custom binary protocol underneath TLS,
    and messages are individually encrypted. 

Introduction
Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian)
architecture. NCSC, FBI, CISA, NSA and industry analysis has associated it with a large-scale botnet
targeting Small Office/Home Office (SOHO) network devices. This botnet has been active since at
least June 2019, affecting WatchGuard Firebox and possibly other SOHO network devices.
This report covers the analysis of two samples recently acquired by the FBI from WatchGuard Firebox
devices known to have been incorporated into the botnet.

Read the full repost here