NetWitness Community

RajasSave · ‎2022-08-30

Author: Rajas Save

Introduction

On Feb 23rd, 2022, the United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to as Cyclops Blink. According to MITRE and The United States Department of Justice, Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455

Sandworm, also known as Voodoo Bear, Telebots, Iron Viking, BlackEnergy, Olympic Destroyer was responsible for many high-profile attacks, such as:

The BlackEnergy disruption of Ukrainian electricity in 2015
Industroyer in 2016
NotPetya in 2017
Attacks against the Winter Olympics and Paralympics in 2018
A series of disruptive attacks against Georgia in 2019

Historically, Sandworm has adapted source code and functionalities from open-source commodity malwares and transformed them into sophisticated destructive malwares with high degree of persistence, capability of irreversible and destructive modifications. For example, PassKillDisk, WhisperGate family of Wipers, Olympic Destroyer etc.

Latest addition to Sandworm’s arsenal is Cyclops Blink. A highly persistent, sophisticated, and modular malware framework targeted towards destruction of network devices. It appears to be a replacement of VPNFilter deployed back in 2018.

Cyclops Blink

Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (bigendian) architecture. According to joint advisory from NCSC, FBI, CISA, NSA; Cyclops Blink has been targeting Small Office/Home Office (SOHO) network devices. Starting this year, threat actor has been exploiting WatchGuard firewall appliances and Asus’s network devices. Malware executes malicious code in devices flash memory as firmware update, maintaining high persistence throughout the update process. Separate modules for file transfer, information gathering, execution and persistence make this malware highly configurable for targets and gives ability to update on the fly. Communication with a C2 server happens on TLS encrypted channels using a list of multiple hardcoded C2 server addresses.

Samples analyzed and made available by NCSC, shows the existence of four major modules which get executed as part of initial execution. Malware also contains hard-coded encryption keys used for C2 communication.

Core Module spawn’s new child process named [KWORKER:0/1] running the Linux API function

EXECL (“/PROC/SELF/EXE”, [ “[KWORKER:0/1]”], NULL).

[KWORKER:0/1] is masquerading as a kernel thread performing malicious activities such as initiating other modules as well as modifying the Linux iptables firewall to allow TCP traffic via the hardcoded list of port numbers used for C2 communications.

Quick VirusTotal lookup shows clear evidence of Cyclops Blink malware:

Core module then triggers a series of events in a loop for continuous updates and persistence -

Receives messages containing data from running modules and queues them up ready to be sent to a C2 server
Beacons, consisting of queued messages, are sent to a C2 server at regular intervals
Decrypts and parses tasking received in response to beacons, either handling them directly or passing to the appropriate module

System Reconnaissance (Module ID 0x8)
Primary function of this module is information gathering using inbuilt Linux API functions such as:

uname - gathers name and information about the Linux kernel
sysinfo - gathers memory statistics and swap space usage
statvfs - gathers statistics for the filesystem containing the current working directory
if_nameindex - gathers network interface names

This module also gathers network related information from Linux system files such as:

/etc/issue
/etc/passwd
/etc/group
/proc/mounts
/proc/partitions
/proc/net/arp

File transfer (Module ID 0xf)
This module is designed to upload and download files to and from C2 servers according to instructions from the core component. Module has functionality to specify absolute and relative URLs as well as memory path strings. If path string or URL is not specified, then data is written to the default location /var/tmp/a.tmp

C2 server IPs (Module ID 0x39)
The purpose of this module is to maintain the current list of C2 server IPv4 addresses which is different for different samples. Malware also updates this list of IPV4 IPs and Port numbers to maintain C2 communications. These are outbound connections that are attempted while analyzing the same sample.

Quick lookup on VirusTotal confirms Cyclops Blink C2 server IPs associated with different countries -

The Update/Persistence (Module ID 0x51)
As name suggest, primary function of this module is to maintain persistence throughout the firmware update process. This is done very sophisticatedly by recalculation of HMAC using hardcoded keys to pass post firmware update validations. Every new task/command is handled via a sub-process to this module and involves overwriting legitimate executables with modified versions allowing the firmware update process to be manipulated to update Cyclops Blink.

Following diagram simplifies how Cyclops Blink bypasses HMAC verifications and can persist even after firmware updates -

The access and modification timestamps for these files are changed, using the Linux API function utime, to match those of /pending/sysa_code_dir/bin/busybox-rel

Complete details on the modules and core components can be found in NCSC's report.

MITRE Mapping

T1133 - Initial Access - External Remote Services
T1059.004 - Execution - Command and Scripting Interpreter: Unix Shell
T1542.001 - Persistence - Pre-OS Boot: System Firmware
T1037.004 - Persistence - Boot or Logon Initialization Scripts: RC Scripts
T1562.004 - Defense Evasion - Impair Defenses: Disable or Modify System Firewall
T1036.005 - Defense Evasion - Masquerading: Match Legitimate Name or Location
T1082 – Discovery - System Information Discovery
T1132.002 - Command and Control - Data Encoding: Non-Standard Encoding
T1008 - Command and Control - Fallback Channels
T1573.002 - Command and Control - Encrypted Channel: Asymmetric Cryptography
T1041 – Exfiltration - Exfiltration Over C2 Channel

IOCs and Additional Resources

Following are collection of IOCs issued as analyzed in this blog as well as from different vendors –

C2 server IPs -

217[.]57[.]78[.]18	212[.]234[.]179[.]113	212[.]202[.]147[.]10	185[.]82[.]169[.]99
109[.]192[.]30[.]125	105[.]159[.]248[.]137	93[.]51[.]177[.]66	81[.]4[.]177[.]118
80[.]153[.]75[.]103	80[.]15[.]113[.]188	37[.]99[.]163[.]162	24[.]199[.]247[.]222
2[.]229[.]24[.]16	217[.]141[.]177[.]210	213[.]166[.]202[.]194	212[.]103[.]222[.]218
209[.]162[.]240[.]245	184[.]185[.]80[.]174	183[.]171[.]8[.]8	137[.]103[.]44[.]146
91[.]189[.]89[.]199	41[[.]]142[[.]]240[[.]]197	37[.]71[.]147[.]186	12[.]172[.]90[.]242

Cyclops Blink IOCs from Trendmicro
YARA Rules from NCSC
WatchGuard’s 4-Step Cyclops Blink Diagnosis and Remediation Plan

Conclusion

Cyclops Blinks modular structure, ability to write to the device filesystem, maintaining persistence throughout legitimate firmware upgrades, makes Cyclops Blinks one of the most sophisticated and destructive malware in recent times. It has primarily affected WatchGuard Firebox firewall appliances and multiple ASUS router models. Sandworm’s Cyclops Blinks has capability to configure attacks, making it easy to upgrade to target new devices and tap into new pools of exploitable hardware. Our hope with this blog is to provide a quick overview of Cyclops Blinks, and its recent spike in use as a destructive malware. Hopefully, this information will aid and enable analysts in their efforts to identify and respond to similar attacks more quickly.

Thanks goes to @Will_G for valuable feedback and direction.

References

NetWitness Community

FirstWatch Spotlight: Cyclops Blink – Sandworm’s Newest Addition to The Arsenal