Cyclops: New Malware Platform Potentially Linked to Charming Kitten
On August 14, 2024, cybersecurity firm HarfangLab released a detailed report on Cyclops, a newly identified malware platform believed to be the successor to the notorious BellaCiao malware.
Introduction
On August 14, 2024, cybersecurity firm HarfangLab released a detailed report on Cyclops, a newly identified malware platform believed to be the successor to the notorious BellaCiao malware. Cyclops, written in the Go programming language, has already been deployed against targets in the Middle East and is suspected to be operated by the Iranian state-sponsored threat group Charming Kitten (APT 35). The malware allows its operators to execute arbitrary commands and pivot within infected networks, posing a significant threat to targeted organizations.
Report Overview
Cyclops was first discovered in late July 2024 during an investigation into active malicious implants. The discovery began with the identification of a poorly detected binary linked to a hostname associated with the BellaCiao implant. BellaCiao was previously attributed to Charming Kitten, known for its cyber espionage activities targeting organizations that align with the interests of the Islamic Revolutionary Guard Corps (IRGC).
Cyclops is a sophisticated malware platform designed to reverse-tunnel a REST API to its command and control (C2) server, which is hidden within an SSH tunnel. The platform allows operators to run arbitrary commands, manipulate the target’s file system, and use the infected machine to infiltrate the network further.
The malware is written in Go and leverages the go-svc library, enabling it to run as a service on Windows systems. Cyclops' configuration is encrypted with AES-128 CBC, and the malware employs various anti-analysis measures, including resolving a random validation hostname. The malware establishes an HTTPS server on the infected machine, which is controlled by the operators through the SSH connection.
One of the distinguishing features of Cyclops is its use of a custom protocol for the REST API control channel, which supports commands for arbitrary command execution, file upload/download, and port forwarding via SSH tunnels. The developers have implemented non-standard HTTP authentication and leveraged self-signed TLS certificates to secure the communication channels.
Cyclops poses a severe risk to organizations in the Middle East, particularly those aligned with the geopolitical interests of Iran. The malware’s ability to execute arbitrary commands and infiltrate networks makes it a powerful tool for espionage and potentially destructive operations. The limited detection of Cyclops samples suggests that the malware is still in its early stages, and its full capabilities and reach have yet to be realized.
Insights and Analysis
HarfangLab’s report strongly suggests that Cyclops was developed as a replacement for BellaCiao, with several technical overlaps between the two malware families. The researchers attribute Cyclops to Charming Kitten due to these similarities and the targeting patterns observed. However, they note that more evidence is required to definitively link the malware to the IRGC or fully understand its operational scope.
The discovery of Cyclops highlights the evolving threat landscape and the increasing sophistication of state-sponsored threat actors like Charming Kitten. Organizations in the Middle East and beyond must remain vigilant and take proactive measures to detect and mitigate threats from emerging malware platforms. Enhanced threat intelligence and collaboration within the cybersecurity community will be crucial in countering the activities of advanced persistent threats (APTs) like Charming Kitten.
To mitigate the threat posed by Cyclops, organizations should:
- Regularly update and patch all software and systems.
- Implement network segmentation to limit the lateral movement of attackers.
- Use strong, unique passwords and multi-factor authentication for all accounts.
- Monitor network traffic for unusual activity, particularly involving SSH and HTTPS connections.
- Collaborate with cybersecurity professionals and threat intelligence providers to stay informed about emerging threats.
By staying informed and implementing robust security practices, organizations can better protect themselves against the evolving tactics of sophisticated threat actors.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 | Hash | SHA-256 hash of the Cyclops malware sample |
| autoupdate[.]uk | Domain | Cyclops validator domain |
| 88.80.145[.]126 | IP Address | Cyclops SSH C2 and validator name server |
| hxxps://127.0.0.1:55561/api/v3/update | URL | Cyclops REST API endpoint |
| servicechecker[.]top | Domain | Possible former BellaCiao or Cyclops validator domain |
| servicesupdate[.]info | Domain | Possible former BellaCiao or Cyclops validator domain |
| mail-update[.]info | Domain | Possible former BellaCiao or Cyclops validator domain |
| freeheadlines[.]top | Domain | Possible former BellaCiao or Cyclops validator domain |
| servicepackupdate[.]info | Domain | Possible former BellaCiao or Cyclops validator domain |
| systemupdate[.]info | Domain | Possible former BellaCiao or Cyclops validator domain |
| 88.80.145[.]93 | IP Address | Possible BellaCiao or Cyclops infrastructure |
| 88.80.145[.]122 | IP Address | Possible BellaCiao or Cyclops infrastructure |
| 88.80.145[.]137 | IP Address | Possible former BellaCiao or Cyclops infrastructure |
| 88.80.145[.]132 | IP Address | Possible former BellaCiao or Cyclops infrastructure |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploitation of Vulnerabilities | T1190 | Cyclops may gain access by exploiting vulnerable web servers or services. |
| Execution | Command and Scripting Interpreter | T1059 | Cyclops can execute arbitrary commands on the target system. |
| Persistence | Create or Modify System Process | T1543 | Cyclops installs itself as a service to maintain persistence. |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 | Cyclops could potentially exploit elevation control mechanisms to gain privileges. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Cyclops uses encrypted configuration files to evade detection. |
| Command and Control | Encrypted Channel | T1573 | Cyclops uses an SSH tunnel for secure communication with its C2 server. |
| Lateral Movement | Remote Services | T1021 | Cyclops may use the compromised system to move laterally within the network. |
| Collection | Data from Local System | T1005 | Cyclops can collect data from the local system for exfiltration. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Cyclops can exfiltrate data using its command and control channel. |
| Impact | Data Destruction | T1485 | Cyclops could potentially include destructive capabilities to disrupt operations. |
References
Cyber Threat Research Team
Comments ()