Add files via upload

2022-03-21 14:54:54 +08:00
parent 9e0a697615
commit 65c83a8e53
3 changed files with 75 additions and 0 deletions
--- a/Sandworm/Appendix_Cyclops
+++ b/Sandworm/Appendix_Cyclops
--- a/Sandworm/Cyclops-Blink-Malware-Analysis-Report.pdf
+++ b/Sandworm/Cyclops-Blink-Malware-Analysis-Report.pdf
--- a/Sandworm/Validation-script_Cyclops-Blink-Sets-Sights-on-Asus-Routers-n2HqxTq.txt
+++ b/Sandworm/Validation-script_Cyclops-Blink-Sets-Sights-on-Asus-Routers-n2HqxTq.txt
@@ -0,0 +1,75 @@
 C&C Server Validation Script
 To validate a host suspected of being a Cyclops Blink C&C server, 
 we wrote a script that would perform the TLS handshake, send 
 a 4-byte packet, and wait for the 4-byte response from the 
 server. The source code for the script is as follows:
 #!/usr/bin/env python3
 import socket
 import ssl
 import sys
 import requests
 from pathlib import Path
 def usage():
    print("Usage:\n\t{0} HOST[:]PORT\n\nExamples:\n\t{0} 
 8.8.8.8 443\n\t{0} 
 9.9.9.9:666\n".format(Path(__file__).name))
    sys.exit(1)
 def myip():
    r = requests.get('https://api.ipify.org?format=json')
    return r.json()['ip']
 def check_cyclops_blink_c2(hostname, port, extaddr):
    ctx = ssl.create_default_context()
    ctx.check_hostname = False # Disables hostname checking
    ctx.verify_mode = ssl.CERT_NONE # Do not verify the 
 certificate
    veredict = 'NOT DETECTED'
    response = ''
    try:
        with socket.create_connection((hostname, port), 
 timeout=5) as sock:
            with ctx.wrap_socket(sock, 
 server_hostname=hostname) as ssock:
                ssock.settimeout(10)
                ssock.send(b'\x00\x00\x00\x08')
                response = ssock.read(2048)
                if len(response) == 4:
                    veredict = 'POSSIBLE'
                    if socket.inet_ntoa(response) == extaddr:
                        veredict = 'ACTIVE'
                ssock.close()
    except:
        veredict = 'UNREACHABLE'
    print(hostname,
    port,
    len(response),
    response,
    veredict)
 def main(argv):
    if len(argv) < 2:
        usage()
    # Accepts both host:port or host<space>port
    pos = sys.argv[1].find(':')
    if pos != -1:
        hostname = sys.argv[1][:pos]
        port = sys.argv[1][pos+1:]
    else:
        if len(argv) < 3:
            usage()
        hostname = sys.argv[1]
        port = sys.argv[2]
    check_cyclops_blink_c2(hostname, port, myip())
 if __name__ == "__main__":
    main(sys.argv)