Analytics Story: Cyclops Blink

Date: 2024-03-14 ID: 7c75b1c8-dfff-46f1-8250-e58df91b6fd9 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Hunting
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 2