Severity

Medium

Analysis Summary

Cyclops Blink is an infectious Linux ELF executable. The executable has been associated by security agencies with a botnet that is used to target small offices. Office and home network devices have been targeted by this large-scale malware since 2019. Two samples of the botnet have been analyzed by security researchers and their information has revealed how it works:

Cyclops Blink appears to have been professionally developed, given its modular design approach. A comparison of the core component functionality between the analysed samples indicates that they have most likely been developed from a common code base. – Security  Researchers

The researchers have also attributed Cyclops Blink to Russian APT “Sandworm”.

Impact

• DDoS (Distributed Denial of Service)
• File Encryption
• System Infection

Indicators of Compromise

IP

• 100[.]43[.]220[.]234
• 96[.]80[.]68[.]193
• 188[.]152[.]254[.]170
• 208[.]81[.]37[.]50
• 70[.]62[.]153[.]174
• 2[.]230[.]110[.]137
• 90[.]63[.]245[.]175
• 212[.]103[.]208[.]182
• 50[.]255[.]126[.]65
• 78[.]134[.]89[.]167
• 81[.]4[.]177[.]118
• 24[.]199[.]247[.]222
• 37[.]99[.]163[.]162
• 37[.]71[.]147[.]186
• 80[.]155[.]38[.]210
• 217[.]57[.]80[.]18
• 212[.]202[.]147[.]10
• 212[.]234[.]179[.]113
• 185[.]82[.]169[.]99
• 93[.]51[.]177[.]66
• 80[.]15[.]113[.]188
• 80[.]153[.]75[.]103
• 109[.]192[.]30[.]125

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/ attachments sent by unknown senders.