Analytics Story: Cyclops Blink
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.
Why it matters
Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Sysmon for Linux EventID 1 | Linux | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
Source: GitHub | Version: 2