November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Vovabol Ransomware – Active IOCs
April 7, 2022Rewterz Threat Alert – Pegasus Spyware – Active IOCs
April 7, 2022Rewterz Threat Alert – Vovabol Ransomware – Active IOCs
April 7, 2022Rewterz Threat Alert – Pegasus Spyware – Active IOCs
April 7, 2022
Severity
High
Analysis Summary
Cyclops Blink is an infectious Linux ELF executable. The executable has been associated by security agencies with a botnet that is used to target small offices. Office and home network devices have been targeted by this large-scale malware since 2019. Two samples of the botnet have been analyzed by security researchers and their information has revealed how it works:
Cyclops Blink appears to have been professionally developed, given its modular design approach. A comparison of the core component functionality between the analysed samples indicates that they have most likely been developed from a common code base. The researchers have also attributed Cyclops Blink to Russian APT “Sandworm”.
The U.S. Department of Justice has announced court authorized operation against cyclops blink and two-tiered global botnets affecting thousands of network hardware devices known as Sandworm.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
Impact
- DDoS (Distributed Denial of Service)
- File Encryption
- System Infection
Indicators of Compromise
IP
- 1[.]9[.]85[.]247
- 1[.]9[.]85[.]248
- 1[.]9[.]85[.]249
- 1[.]9[.]85[.]252
- 1[.]9[.]85[.]253
- 1[.]9[.]85[.]254
- 50[.]192[.]49[.]210
- 50[.]196[.]104[.]201
- 50[.]243[.]3[.]153
- 50[.]243[.]3[.]154
- 50[.]243[.]3[.]155
- 50[.]243[.]3[.]157
- 72[.]68[.]69[.]63
- 79[.]11[.]46[.]30
- 96[.]80[.]68[.]194
- 96[.]80[.]68[.]195
- 96[.]80[.]68[.]196
- 96[.]80[.]68[.]197
- 102[.]50[.]244[.]205
- 148[.]76[.]89[.]2
- 148[.]76[.]89[.]3
- 148[.]76[.]89[.]4
- 148[.]76[.]89[.]5
- 151[.]0[.]185[.]146
- 151[.]0[.]185[.]149
- 162[.]17[.]254[.]17
- 182[.]73[.]50[.]114
- 182[.]73[.]50[.]115
- 185[.]198[.]198[.]254
- 212[.]103[.]208[.]182
- 216[.]211[.]37[.]59
Remediation
- Search for IOCs in your environment.
- Block all threat indicators at your respective controls.