forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cyclops_blink.yml
25 lines (25 loc) · 1.49 KB
/
cyclops_blink.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: Cyclops Blink
id: 7c75b1c8-dfff-46f1-8250-e58df91b6fd9
version: 2
date: '2024-03-14'
author: Teoderick Contreras, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc.
Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices.
The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target.
The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork.
At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself.
Additional modules can be downloaded and executed from the Command And Control (C2) server.
narrative: Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption
is the goal.
references:
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection