New Malware in Russia-Linked Sandworm Wallet

Application Security, Cybercrime, Cybercrime as a Service

CISA, NCSC on ‘Cyclops Blink’; Also, the tactics, techniques and procedures of the group

Prajeet Nair (@prajeetspeaks) •
February 24, 2022

US and UK shared details of Sandworm malware.

Russia-linked threat actor Sandworm, aka Voodoo Bear, has been discovered using new malware, dubbed Cyclops Blink. Law enforcement and intelligence agencies in the we and the UK shared details about the malware, as well as information about the tactics, techniques and procedures and indicators of compromise associated with the threat group.

See also: Live Webinar | Nuclear Ransomware 3.0: We thought it was bad and then it got even worse

Cyclops Blink

The US and UK agency advisory indicates that Cyclops Blink is a malicious Linux ELF executable, a standard binary format on operating systems for Linux.

The malware, which has been active since June 2019, affects small office/home office – or SOHO – network devices, particularly those from network security provider WatchGuard, the advisory says, citing an analysis by UK National Cyber ​​​​Security Center and US Cybersecurity. and Infrastructure Security Agency, National Security Agency and Federal Bureau of Investigation.

The advisory states that the threat actor is likely to be “capable of compiling the malware for other architectures and firmware.”

The threat group, which is linked to the Main Intelligence Directorate of the Russian Military Agency’s Main Center for Special Technologies of the General Staff, likely introduced Cyclops Blink as a replacement for the VPNFilter malware, which was exposed by the FBI in 2018, the notice states.

The VPNFilter had infected routers made by companies including Linksys, Microtik, Netgear, QNAP and TP-Link in 54 countries, including the United States, according to a report by a technology company. Cisco Talos.

VPNFilter malware, similar to Cyclops Blink, exploits network devices, primarily SOHO routers, the advisory says. The deployment of both malware is indiscriminate and widespread, he adds.

“[Cyclops Blink] is sophisticated and modular with basic basic functionality to tag device information to a server, and it allows files to be downloaded and executed. There is also a feature to add new modules while the malware is running, allowing Sandworm to implement additional functionality if needed,” the advisory reads.

Technical analysis

The advisory states that the Cyclops Blink samples are loaded into memory as two program segments, based on an analysis of WatchGuard Firebox device samples.

The first of these program segments has read/execute permissions and contains the Linux ELF header and the malware’s executable code, it says.

“The second has read/write permissions and contains the data, including victim-specific information, used by the malware. To make the example hashes as useful as possible for comparison purposes, they were calculated only on (early) executable program segments. . File sizes match those of the original files,” according to the notice.

The samples analyzed include the same four built-in modules that run on startup and provide malware functionality such as file upload/download, system information discovery, and malware version update, it says. -he.

“Other modules can be added via tasks from a C2 server. The malware expects these modules to be Linux ELF executables that can be executed using a Linux API function. The software malware contains a hard-coded RSA public key, which is used for C2 communications, as well as a hard-coded RSA private key and X.509 certificate.The hard-coded RSA private key and X.509 certificate do not appear to not be actively used in the analyzed samples, so it is possible that they are intended for use by a separate module,” the notice states.

The new malware also contains an initial list of hard-coded C2 server IPv4 addresses and port numbers to use for C2 communications. And the malware developers worked hard to identify weaknesses in the WatchGuard Firebox firmware update process and exploit them to their advantage, according to the advisory.

“It indicates that the developers identified a ‘specific weakness in this process’ – ‘the ability to recalculate the HMAC value used to verify a firmware update image’ – and took advantage of it ‘to maintain the persistence of Cyclops Blink. throughout the legitimate firmware update process.” This persistence makes remediation more difficult.

The agencies’ analysis determined that the victim devices are organized into clusters and that each deployment of Cyclops Blink has a list of C2 IP addresses and ports that it uses.

“All C2 IP addresses known to date have been used by compromised WatchGuard firewall devices and communications between Cyclops Blink clients and servers are protected by Transport Layer Security, using generated keys and certificates individually,” the advisory reads, adding that “Sandworm manages Cyclops Flashes by connecting to the C2 layer through the Tor network.”

“Relevant” news

News of the “capable and intelligent adversary” Sandworm using Cyclops Blink, particularly amid the Ukraine crisis, is “worrying,” said John Hultquist, vice president of cybersecurity firm Mandiant Threat Intelligence.

“[Sandworm] outperformed all the others we track in terms of the aggressive cyberattacks and information operations they carried out,” says Hultquist. “No other Russian actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere.

The group was held responsible for Disruption of Ukrainian electricity by BlackEnergy in 2015, industrialist in 2016, NotPetya in 2017, attacks against 2018 Winter Olympics and Paralympics and a series of disruptive attacks on Georgia in 2019, according to the notice.


Hultquist says he hopes the timing of this disclosure will better defend against Sandworm as relations between Russia and other countries deteriorate and the likelihood of cyberattacks beyond Ukraine continues to grow.

“WatchGuard has worked closely with the FBI, CISA, and NCSC and provided tools and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Owners devices should follow instructions to ensure that devices are updated to the latest version and that any infections are removed,” the notice reads.

It states that if your device is identified as infected with Cyclops Blink, you should “assume that all passwords on the device have been compromised and replace them” as well as “ensure that the device management interface network is not exposed to the Internet.”

“Impressive” effort

The effort to obfuscate command and control is impressive, says Jake Williams, a former member of the National Security Agency’s elite hacking team and research analyst. He told Information Security Media Group: “After DNSfilter was removed, it was clear that any command and control relying solely on DNS would not be resilient enough. Using Tor would provide resiliency but could also attract beware of knowledgeable device owners.”

Williams says that by using multiple layers of C2, Cyclops Blink gets “the best of both worlds.” Hackers can select unmonitored infected nodes to connect to their C2 servers via Tor, while most infected devices connect to C2 by connecting through these devices to the Tor network. This technique makes the attack harder to disrupt, he says, “letting the NCSC release the detection documentation for potentially compromised users rather than taking control of C2.”

Williams says it’s likely the threat actor has built similar tools for platforms other than WatchGuard.

John Goodacre, director of UKRI’s Digital Security by Design, says malware such as Sandworm and Cyclops Blink are examples of the rising cost associated with exploiting IT vulnerabilities and the need for secure-by-design products. It says, “Knowingly select products with a root of trust that can ensure that computers can only install and boot expected software.”

About Jon Moses

Check Also

Intel promises “substantial contributions” to the growth of RISC-V • The Register

Analysis Here’s something that would have seemed odd just a few years ago: to help …