Cyclops Blink
Common Information
| Type | Value |
|---|---|
| UUID | 767785ae-1c95-430c-b7de-5d04e1ba12e8 |
| Fingerprint | 4875df1fedbc63577f673dd388ff5a30ba27ae58872117fe7a484485ad7f7b31 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 9, 2023, 3:51 p.m. |
| Added to db | Nov. 6, 2024, 11:04 a.m. |
| Last updated | Nov. 6, 2024, 11:07 a.m. |
| Headline | Cyclops Blink |
| Title | Cyclops Blink |
| Detected Hints/Tags/Attributes | 96/2/62 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 24 | dns.google |
|
| Details | Domain | 3 | wgupgrade-dl.new |
|
| Details | Domain | 53 | ncsc.gov.uk |
|
| Details | 22 | ncscinfoleg@ncsc.gov.uk |
||
| Details | File | 6 | a.tmp |
|
| Details | File | 3 | configd-hash.xml |
|
| Details | File | 49 | config.xml |
|
| Details | File | 9 | math.max |
|
| Details | md5 | 2 | d01e2c2e8df92edeb8298c55211bc4b6 |
|
| Details | md5 | 2 | bbb76de7654337fb6c2e851d106cebc7 |
|
| Details | md5 | 3 | 3c9d46dc4e664e20f1a7256e14a33766 |
|
| Details | md5 | 3 | 3f22c0aeb1eec4350868368ea1cc798c |
|
| Details | sha1 | 4 | 3adf9a59743bc5d8399f67cab5eb2daf28b9b863 |
|
| Details | sha1 | 4 | c59bc17659daca1b1ce65b6af077f86a648ad8a8 |
|
| Details | sha1 | 4 | 7d61c0dd0cd901221a9dff9df09bb90810754f10 |
|
| Details | sha1 | 4 | 438cd40caca70cafe5ca436b36ef7d3a6321e858 |
|
| Details | sha256 | 5 | 50df5734dd0c6c5983c21278f119527f9fdf6ef1d7e808a29754ebc5253e9a86 |
|
| Details | sha256 | 5 | c082a9117294fa4880d75a2625cf80f63c8bb159b54a7151553969541ac35862 |
|
| Details | sha256 | 5 | 4e69bbb61329ace36fbe62f9fb6ca49c37e2e5a5293545c44d155641934e39d1 |
|
| Details | sha256 | 5 | ff17ccd8c96059461710711fcc8372cfea5f0f9eb566ceb6ab709ea871190dc6 |
|
| Details | IPv4 | 5 | 100.43.220.234 |
|
| Details | IPv4 | 5 | 96.80.68.193 |
|
| Details | IPv4 | 5 | 188.152.254.170 |
|
| Details | IPv4 | 5 | 208.81.37.50 |
|
| Details | IPv4 | 6 | 70.62.153.174 |
|
| Details | IPv4 | 5 | 2.230.110.137 |
|
| Details | IPv4 | 5 | 90.63.245.175 |
|
| Details | IPv4 | 5 | 212.103.208.182 |
|
| Details | IPv4 | 5 | 50.255.126.65 |
|
| Details | IPv4 | 5 | 78.134.89.167 |
|
| Details | IPv4 | 5 | 81.4.177.118 |
|
| Details | IPv4 | 5 | 24.199.247.222 |
|
| Details | IPv4 | 5 | 37.99.163.162 |
|
| Details | IPv4 | 5 | 37.71.147.186 |
|
| Details | IPv4 | 5 | 105.159.248.137 |
|
| Details | IPv4 | 5 | 80.155.38.210 |
|
| Details | IPv4 | 6 | 217.57.80.18 |
|
| Details | IPv4 | 5 | 151.0.169.250 |
|
| Details | IPv4 | 5 | 212.202.147.10 |
|
| Details | IPv4 | 5 | 212.234.179.113 |
|
| Details | IPv4 | 5 | 185.82.169.99 |
|
| Details | IPv4 | 5 | 93.51.177.66 |
|
| Details | IPv4 | 4 | 80.15.113.188 |
|
| Details | IPv4 | 4 | 80.153.75.103 |
|
| Details | IPv4 | 4 | 109.192.30.125 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1059.004 |
|
| Details | MITRE ATT&CK Techniques | 10 | T1037.004 |
|
| Details | MITRE ATT&CK Techniques | 6 | T1542.001 |
|
| Details | MITRE ATT&CK Techniques | 70 | T1562.004 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1036.005 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 40 | T1132.002 |
|
| Details | MITRE ATT&CK Techniques | 41 | T1008 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1573.002 |
|
| Details | MITRE ATT&CK Techniques | 115 | T1571 |
|
| Details | MITRE ATT&CK Techniques | 422 | T1041 |
|
| Details | Yara rule | 1 | rule CyclopsBlink_modified_install_upgrade {
meta:
author = "NCSC"
description = "Detects notable strings identified within the
modified install_upgrade executable, embedded within Cyclops Blink"
date = "2022-02-23"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
hash3 = "7d61c0dd0cd901221a9dff9df09bb90810754f10"
hash4 = "438cd40caca70cafe5ca436b36ef7d3a6321e858"
strings:
$ = "/pending/%010lu_%06d_%03d_p1"
$ = "/pending/sysa_code_dir/test_%d_%d_%d_%d_%d_%d"
$ = "etaonrishdlcupfm"
$ = "/pending/WGUpgrade-dl.new"
$ = "/pending/bin/install_upgraded"
$ = { 38 80 4C 00 }
$ = { 38 80 4C 05 }
$ = { 38 80 4C 04 }
$ = { 3C 00 48 4D 60 00 41 43 90 09 00 00 }
condition:
(uint32(0) == 0x464c457f) and (6 of them)
} |
|
| Details | Yara rule | 1 | rule CyclopsBlink_core_command_check {
meta:
author = "NCSC"
description = "Detects the code bytes used to test the command ID
being sent to the core component of Cyclops Blink"
date = "2022-02-23"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
$cmd_check = { 81 3F 00 18 88 09 00 05 54 00 06 3E 2F 80 00 ( 07 | 0A | 0B | 0C | 0D ) }
condition:
(uint32(0) == 0x464c457f) and (#cmd_check == 5)
} |
|
| Details | Yara rule | 1 | rule CyclopsBlink_config_identifiers {
meta:
author = "NCSC"
description = "Detects the initial characters used to identify
Cyclops Blink configuration data"
date = "2022-02-23"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
$ = "<p: " fullword
$ = { 3C 00 3C 6B 60 00 3A 20 90 09 00 00 }
$ = { 3C 00 3C 63 60 00 3A 20 90 09 00 00 }
$ = { 3C 00 3C 73 60 00 3A 20 90 09 00 00 }
condition:
(uint32(0) == 0x464c457f) and (all of them)
} |
|
| Details | Yara rule | 1 | import "math"
rule CyclopsBlink_handle_mod_0xf_command {
meta:
author = "NCSC"
description = "Detects the code bytes used to check module ID 0xf
control flags and a format string used for file content upload"
date = "2022-10-27"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
$test_exec = { 54 00 06 3E 54 00 07 FE 54 00 06 3E 2F 80 00 00 }
$test_addmod = { 54 00 06 3E 54 00 07 BC 2F 80 00 00 }
$test_sc = { 54 00 06 3E 54 00 07 7A 2F 80 00 00 }
$test_upload = { 54 00 06 3E 54 00 06 F6 2F 80 00 00 }
$upload_fmt = "file:%s\n" fullword
condition:
(uint32(0) == 0x464c457f) and ($upload_fmt) and (for all i in (math.max(#test_exec, math.max(#test_addmod, math.max(#test_sc, #test_upload)))) : ( (@test_exec[math.min(i, #test_exec)] > @test_addmod[math.min(i, #test_addmod)]) and (@test_addmod[math.min(i, #test_addmod)] > @test_sc[math.min(i, #test_sc)]) and (@test_sc[math.min(i, #test_sc)] > @test_upload[math.min(i, #test_upload)]) and ((@test_exec[math.min(i, #test_exec)] - @test_upload[math.min(i, #test_upload)]) <= 0x180) ))
} |
|
| Details | Yara rule | 1 | rule CyclopsBlink_default_config_values {
meta:
author = "NCSC"
description = "Detects the code bytes used to set default Cyclops
Blink configuration values"
date = "2022-02-23"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
$ = { 38 00 00 19 90 09 01 A4 }
$ = { 3C 00 00 01 60 00 80 00 90 09 01 A8 }
$ = { 38 00 40 00 90 09 01 AC }
$ = { 38 00 01 0B 90 09 01 B0 }
$ = { 38 00 27 11 90 09 01 C0 }
condition:
(uint32(0) == 0x464c457f) and (3 of them)
} |