Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the command and control (C2) server.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-04-07
  • Author: Teoderick Contreras, Splunk
  • ID: 7c75b1c8-dfff-46f1-8250-e58df91b6fd9

Narrative

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name Technique Type
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Hunting
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly

Reference

source | version: 1