Sandworm crafts malware to run on ASUS routers

ASUS has issued new firmware for 14 routers, after being alerted to a Cyclops Blink variant tweaked to run on them.

The move came after Trend Micro alerted the vendor to the issue, having acquired and analysed the variant.

In response, ASUS said it is working on remediations and will continue posting software updates.

ASUS said users should do a factory reset on their devices, update the firmware, make sure they have a strong admin password, and make sure remote management is disabled (the default setting).

Attributed to the Russian-sponsored Sandworm group, Cyclops Blink has been in the wild since 2019, and was recently the subject of a joint US-UK advisory.

Trend said “its C&C servers and bots affect WatchGuard Firebox and ASUS devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage. 

“Hence, we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”

Infected boxes use OpenSSL to encrypt their communication with command and control (C&C) servers. 

“The data received from the C&C servers comprises either commands to the core component itself or to one of its modules”, Trend’s advisory stated.

The researchers, Trend’s Feike Hacquebord, Stephen Hilt and Fernando Merces, observed modules that: 

• Read/write to the unit’s flash memory (which stores the operating system, configuration, and file system files); 
• Read SSD information, including files containing passwords, user groups, mounts, partitions, and network interfaces; and
• Download files from the C&C servers.

Many infected systems become C&C servers for other bots, Trend said, adding that there are currently around 200 Cyclops Blink victims worldwide.

ASUS said the following devices are vulnerable:

• GT-AC5300 firmware under 3.0.0.4.386.xxxx
• GT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC5300 firmware under 3.0.0.4.386.xxxx
• RT-AC88U firmware under 3.0.0.4.386.xxxx
• RT-AC3100 firmware under 3.0.0.4.386.xxxx
• RT-AC86U firmware under 3.0.0.4.386.xxxx
• RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
• RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
• RT-AC3200 firmware under 3.0.0.4.386.xxxx
• RT-AC2900 firmware under 3.0.0.4.386.xxxx
• RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
• RT-AC87U (EOL)
• RT-AC66U (EOL)
• RT-AC56U (EOL).