.webp "Malware platform “Cyclops” allows hackers to write arbitrary commands")
Researchers have discovered a new and previously undocumented malware platform called “Cyclops”. Cyclops was written in the Go programming language and is associated with the notorious hacker group Charming Kitten, also known as APT 35.
This malware platform allows operators to execute arbitrary commands on targeted systems, posing a serious cybersecurity threat in the Middle East and potentially beyond.
Cyclops first appeared in July 2024 when researchers identified a poorly detected binary associated with the BellaCiao malware, which had previously been associated with Charming Kitten.
The discovery suggests that Cyclops could be a successor to BellaCiao, whose development is likely to be completed in December 2023. The malware platform is controlled via an HTTP REST API exposed through an SSH tunnel, allowing operators to manipulate the target’s file system and operate within the infected network.
Poor detection of the identified binary on a public online multi-scanner service, as of July 30, 2024
Chain of infection
According to HarfangLabs’ reports, the exact method of Cyclops deployment remains unclear. However, based on previous incidents involving BellaCiao, researchers believe Cyclops could be deployed to servers by exploiting vulnerable services such as ASP .NET webshells or Exchange web server vulnerabilities.
The malware’s file name, “Microsoft SqlServer.exe,” suggests an attempt to imitate legitimate server processes.
| File name | Microsoft SqlServer.exe |
| Compilers | Go 1.22.4 |
| Hash (SHA256) | fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 |
Composition of the malware
Cyclops is a sophisticated malware platform written in Go that uses the go-svc library to run as a service on Windows systems. It allows operators to execute arbitrary commands, tamper with the file system, and use the infected machine to sneak into the network.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The binary’s dependencies indicate that development was completed in December 2023 and used Go compiler version 1.22.4, released in June 2024.
SSH tunneling and HTTPS servers
At startup, Cyclops loads an AES-128 CBC encrypted configuration that contains details about its command-and-control server (C2).
The malware uses SSH tunneling to forward ports to the C2 server and starts a built-in HTTPS server to handle incoming requests. The server uses a modified version of the Gorilla/Mux package to handle HTTPS requests, with basic HTTP authentication manually implemented.
{
"StartDelay": 5000
"SonarConfigs": {
"Cycle": 1800000,
"HostName": "lialb.autoupdate(.)uk",
"HostNameFormat": "%s.%s",
"ExpectedAddress": (REDACTED)
},
"BeamConfigs": {
"BeamAgent": "SSH-2.2-OpenSSH_for_Windows_8.1",
"UserName": (REDACTED),
"Password": (REDACTED),
"Host": "88.80.145(.)126:443",
"LocalAddress": "127.0.0.1:9090",
"RemoteAddress": "127.0.30.3:9090",
"Retry": 10
}
}REST API control channel
Cyclops’ REST API control channel is a key component that allows operators to send commands through a single endpoint. The API only accepts POST requests, with the payload being in a multipart file format. Commands include executing arbitrary commands, uploading and downloading files, and port forwarding through SSH tunnels.
| Size (bytes) | Name (our) | Description |
| 36 | Unused | |
| 4 | Command description size | Size of the next field (network byte order) |
| Command description size | Command description | The requested command was passed as a JSON object |
| Until the end of the package | Command arguments | The parameters to be passed to the command, also as a JSON object |
Command structure
Cyclops supports different command types, each with specific functions:
- Review: Execute arbitrary commands using Go’s os.exec package.
- Upload/Download: Facilitates file transfer between the infected machine and the C2 server.
- Port forwarding: Sets up SSH tunnels for port forwarding.
- Server administration: Controls the internal HTTPS server, including shutdown operations.
Infrastructure and Attribution
Cyclops’ infrastructure relies on domain name resolutions for its operation, similar to BellaCiao. The malware’s operators control DNS resolutions via their own name servers and can thus control the execution flow.
Infrastructure analysis links Cyclops to Charming Kitten, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), but more evidence is needed to confirm the clear attribution.
While information about Cyclops’ targets is limited, researchers have identified a nonprofit organization in Lebanon and a telecommunications company in Afghanistan as possible victims.
The low prevalence of the malware suggests that it is still in its early stages, but the discovery highlights Charming Kitten’s evolving capabilities and the ongoing cybersecurity threat in the region.
The discovery of Cyclops underscores the ongoing threat posed by advanced persistent threat (APT) groups such as Charming Kitten. The malware’s sophisticated design and use of the Go programming language demonstrate increasing sophistication and adaptability among threat actors.
By sharing this research, cybersecurity experts hope to improve detection and containment efforts, limit the spread of Cyclops, and protect potential targets from future attacks.
This comprehensive analysis by Cyclops provides valuable insight into the malware’s capabilities, infrastructure, and potential impact. With cybersecurity threats constantly evolving, it remains critical to stay informed and vigilant to defend against such sophisticated attacks.
Indicators of risk (IOCs)
Hash values (SHA-256)
fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69|Cyclops
Domains
autoupdate(.)uk|Cyclops validator
IP addresses
88.80.145.126|Cyclops SSH C2 and Validator NS
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
