Security researchers are warning that the Russian state operatives behind a sophisticated malware campaign are broadening their targets to include Asus and other router manufacturers.
Trend Micro revealed in a blog post yesterday that there are currently 200 victims of the Cyclops Blink malware worldwide. While it originally targeted WatchGuard appliances, there’s now evidence that the campaign is expanding in a bid to build a botnet capable of further attacks.
That’s because the targets in their own right do not seem to hold any geopolitical, economic or military advantage for the Russian Sandworm group thought to be behind the campaign.
“For example, some of the live C&Cs are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States,” Trend Micro explained.
“Just like Pawn Storm, Sandworm is fishing with a wide net or looking to compromise assets on a larger scale.”
Cyclops Blink is widely seen as a successor to the prolific VPNFilter malware first exposed in 2018. It’s designed to infect routers and other networked devices to steal data or compromise them for further attacks on other targets.
“Based on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors,” Trend Micro concluded.
“Moreover, the purpose of this botnet is still unclear: whether it is intended to be used for DDoS attacks, espionage, or proxy networks remains to be seen. But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.”
Asus has released a security advisory addressing the threat.