Undocumented Malware Platform “Cyclops” Lets Hackers to Write Arbitrary Commands on Windows

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Researchers have uncovered a new and previously undocumented malware platform named “Cyclops.” Written in the Go programming language, Cyclops has been linked to the notorious hacking group Charming Kitten, also known as APT 35.

This malware platform enables operators to execute arbitrary commands on targeted systems, posing a severe threat to cybersecurity in the Middle East and potentially beyond.

Cyclops first emerged in July 2024, when researchers identified a poorly detected binary associated with the BellaCiao malware, which had previously been linked to Charming Kitten.

The discovery suggests Cyclops may be a successor to BellaCiao, with development likely completed in December 2023. The malware platform is controlled through an HTTP REST API, exposed via an SSH tunnel, allowing operators to manipulate the target’s file system and pivot within the infected network.

Poor detection of the identified binary on a public online multiscanner service, as of July 30, 2024

Infection Chain

According to the HarfangLabs reports, the exact method of Cyclops deployment remains unclear. However, based on past incidents involving BellaCiao, researchers believe Cyclops could be deployed on servers through the exploitation of vulnerable services, such as ASP .NET webshells or Exchange Web server vulnerabilities.

The malware’s filename, “Microsoft SqlServer.exe,” suggests an attempt to impersonate legitimate server processes.

Filename Microsoft SqlServer.exe
Compiler Go 1.22.4
Hash (SHA256) fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69

Malware Composition

Cyclops is a sophisticated malware platform written in Go, utilizing the go-svc library to run as a service on Windows systems. It allows operators to execute arbitrary commands, manipulate the file system, and use the infected machine to pivot into the network.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The binary’s dependencies indicate that development concluded in December 2023, with the Go compiler version 1.22.4 used, released in June 2024.

SSH Tunneling and HTTPS Server

Upon startup, Cyclops loads an AES-128 CBC encrypted configuration, which includes details about its command and control (C2) server.

The malware uses SSH tunneling to forward ports to the C2 server, and it starts a built-in HTTPS server to handle incoming requests. The server employs a modified version of the gorilla/mux package for handling HTTPS requests, with basic HTTP authentication implemented manually.


{

    "StartDelay": 5000

    "SonarConfigs": {

        "Cycle": 1800000,

        "HostName": "lialb.autoupdate[.]uk",

        "HostNameFormat": "%s.%s",

        "ExpectedAddress": [REDACTED]

    },

    "BeamConfigs": {

        "BeamAgent": "SSH-2.2-OpenSSH_for_Windows_8.1",

        "UserName": [REDACTED],

        "Password": [REDACTED],

        "Host": "88.80.145[.]126:443",

        "LocalAddress": "127.0.0.1:9090",

        "RemoteAddress": "127.0.30.3:9090",

        "Retry": 10

    }

}

REST API Control Channel

Cyclops’s REST API control channel is a critical component, allowing operators to send commands through a single endpoint. The API accepts only POST requests, with payloads required to be in a multipart file format. Commands include arbitrary command execution, file upload and download, and port forwarding via SSH tunnels.

Size (bytes) Name (ours) Description
36 Unused
4 command_description_size Size of the next field (network byte order)
command_description_size command_description The requested command passed as a JSON object
Until the end of the packet command_arguments The parameters to give to the command, also as a JSON object

Command Structure

Cyclops supports various command types, each with specific functionalities:

  • Review: Executes arbitrary commands using Go’s os.exec package.
  • Upload/Download: Facilitates file transfer between the infected machine and the C2 server.
  • Port Forwarding: Sets up SSH tunnels for port forwarding.
  • Server Management: Controls the internal HTTPS server, including shutdown operations.

Infrastructure and Attribution

Cyclops’s infrastructure relies on domain name resolutions for operation, similar to BellaCiao. The malware’s operators control DNS resolutions through operator-owned name servers, allowing them to manage the execution flow.

The infrastructure analysis links Cyclops to Charming Kitten, a group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC). However, more evidence is needed to confirm definitive attribution.

While information about Cyclops’s targets is limited, researchers have identified a non-profit organization in Lebanon and a telecommunications company in Afghanistan as potential victims.

The malware’s limited prevalence suggests it is still in its early stages, but the discovery highlights Charming Kitten’s evolving capabilities and the ongoing threat to cybersecurity in the region.

The discovery of Cyclops underscores the persistent threat posed by advanced persistent threat (APT) groups like Charming Kitten. The malware’s sophisticated design and use of the Go programming language reflect increased proficiency and adaptability among threat actors.

By sharing this research, cybersecurity experts hope to enhance detection and mitigation efforts, curbing the spread of Cyclops and protecting potential targets from future attacks. 

This comprehensive analysis of Cyclops provides valuable insights into the malware’s capabilities, infrastructure, and potential impact. As cybersecurity threats evolve, staying informed and vigilant remains crucial in defending against such sophisticated attacks.

Indicators of compromise (IOCs)

Hashes (SHA-256)

fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69|Cyclops

Domains

autoupdate[.]uk|Cyclops validator

IP Addresses

88.80.145.126|Cyclops SSH C2 and validator NS

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces