A new variant of the Cyclops Blink malware has been discovered that targets multiple models of Asus routers.

Written in the C programming language, Cyclops Blink is a modular botnet associated with Sandworm (Voodoo Bear), a Russian advanced persistent threat (APT) group believed to be responsible for a series of high-profile malicious campaigns, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games.

Cyclops Blink has been circulating since at least 2019, and appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network attached storage (NAS) devices, according to the intelligence agencies from the U.K. and the U.S.

Until recently, Cyclops Blink has been primarily targeting WatchGuard devices, but now security researchers at Trend Micro are warning of a new variant of malware aimed at Asus routers (a list of the affected devices along with mitigations is available here).

“Our data also shows that although Cyclops Blink is a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage. Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets,” Trend Micro noted in a technical report.

The malware uses OpenSSL to encrypt communications with its command-and-control (C2) servers, as well as modules that can read and write from the devices' flash memory, which allows it to achieve persistence and survive factory resets.

Trend Micro said that they identified more than 200 Cyclops Blink victims around the world, mostly in the US, India, Italy, Canada, and Russia.

“Over the past few years, IoT attacks have been escalating globally and internet routers have been one of the primary targets. There are several reasons that these devices are favored by an attacker — the infrequency of patching, the lack of security software, and the limited visibility of defenders. Combined, these allow for the possibility of what we refer to as "eternal botnets." Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do,” the researchers warned.