Cyclops Blink Sets Sights on Asus Routers

By Feike Hacquebord, Stephen Hilt, Fernando Merces

APPENDIX
Appendix A: Indicators of Compromise (IOCs)

SHA-256 ccae8f66ef880ac02b9affdeaca07a7ddb9428b4f683fd55b35ea3ec20ead5ca

ID 0xA08F078B

RSA-2560 Public Key -----BEGIN PUBLIC KEY-----

MIIBYjANBgkqhkiG9w0BAQEFAAOCAU8AMIIBSgKCAUEArDTQ3wSSUvkK/BdV7rQV

jjmo0tRcvuSz6uQWOzNW2jdV5ngHfJA2JD+4nKuygMH5u1Rw0oL0bPpTtheV3Fhk

SEaQ4E9o19bpLq/NRhsLblBD8yXOHnKMhvu+kkmSFSFkI5uBci15Uz746ret4lcF

L1hSE3pIVPbOr7JWXMlBToXnQmOq9ZiZwfi16YCwSoX7hGPG1egm+RAYAzPm9WgO

BrFqUMara2thAietFyGVqN6fO1DvJoXh4AzTznsYwa8sBRJy5YrhziMcWw8zK/k2

vLMHqD+tc8sp4bt4bCaI/SwHFzKctP7YBbfhyX4P08/6leZ4jNgcbDYrhzxuAmXv

hwfI93WAQ76IWyt994nWLOMs1RCDGrFOno6Q9z14QRQ8U8xEc4ZNEyBlTvLnH3JS

kHmC5zQMhYYzSUY4HPMepasCAwEAAQ==

-----END PUBLIC KEY-----

Telfhash t1f06196ca4c3bce13c522d62c7ce53f1a41465406b463ed005ef8f2684e5356aa18eb79

SHA-256 7923585e8e6117eb6b3fb4a12871bc31b81d54a7ed297927bf72715c45c41da6

ID 0xBD0A5B36
 RSA-2560 Public Key -----BEGIN PUBLIC KEY-----

MIIBYjANBgkqhkiG9w0BAQEFAAOCAU8AMIIBSgKCAUEA2rhl3vp5nrf1oHP+FIKq

whdLKkCO8bBjmZ6t56jw4k2NU4hA/9lExmfT6dZrkmAPltr3DZ2cBmRK6iYaUBHI

foOum16m9Q9fMtcKnsbMDCJ1NyeBB7XcA7hLiPU6Kccw1i+XqNgb/bZl21Cr2bSE

DLSKXxEGGwlX5sUPxM5gPh86DaEdOkgsm74ALEUfmclF6xHRhNeKOehFdZ4ZUf17

r0kM8kyNBZyq56mxWNed0bvzhlwG9/AE2QU8n43q+jAldenhbFS/WapF/sNLPNRs

euRdG8JT13axJnbKnFifRRJkiT4L1L8Nau7L8f1SQ4NUQL1m/uHShM9J4ssIcMWG

Zl+lT+cyGKO9COE60NrgoW3X0DCVfT3lvpiNnP5/rxB2LKddh7qR7mU8JUaWNmDQ

nXFAguFHiCOqq/YAFr3peO0CAwEAAQ==

-----END PUBLIC KEY-----

Telfhash t1f06196ca4c3bce13c522d62c7ce53f1a41465406b463ed005ef8f2684e5356aa18eb79

Appendix A: Cyclops Blink Command-and-Control (C&C) Servers

C&C IP Address Country

1.9.85.247 MY

1.9.85.248 MY

1.9.85.249 MY

1.9.85.252 MY

1.9.85.253 MY

1.9.85.254 MY
 2.192.0.94 IT

2.192.1.120 IT

2.192.6.144 IT

2.192.67.0 IT

2.192.7.244 IT

2.192.71.115 IT

2.192.74.124 IT

2.229.24.16 IT

2.229.32.106 IT

2.230.110.137 IT

12.34.226.34 US

12.172.90.242 US

12.191.39.162 US

12.191.39.163 US

12.191.39.164 US

12.191.39.165 US
12.191.39.166 US

24.39.220.218 US

24.96.94.11 US

24.199.247.222 US

24.227.240.210 US

24.227.240.211 US

37.26.183.94 FR

37.71.147.186 FR

37.99.163.162 SA

37.99.163.163 SA

37.99.163.164 SA

37.99.163.165 SA

37.99.163.166 SA

41.142.240.197 MA

50.192.49.210 US

50.196.104.201 US
 50.243.3.153 US

50.243.3.154 US

50.243.3.155 US

50.243.3.156 US

50.243.3.157 US

50.255.126.65 US

65.183.166.218 US

65.183.166.219 US

65.183.166.220 US

65.183.166.222 US

69.54.25.34 US

70.62.153.174 US

70.89.246.33 US

70.89.246.34 US

70.89.246.35 US

70.89.246.36 US
70.89.246.37 US

70.91.93.133 US

72.68.69.63 US

78.134.89.167 IT

79.11.46.30 IT

80.15.113.188 FR

80.118.6.90 FR

80.153.75.103 DE

80.155.38.210 DE

80.155.38.211 DE

80.155.38.212 DE

80.155.38.213 DE

80.155.38.214 DE

81.4.177.114 CY

81.4.177.115 CY

81.4.177.116 CY
 81.4.177.117 CY

81.4.177.118 CY

82.198.72.201 DE

82.62.143.41 IT

87.139.213.76 DE

87.193.135.123 DE

90.63.245.175 FR

90.85.224.121 FR

90.85.224.122 FR

90.85.224.123 FR

90.85.224.124 FR

90.85.224.125 FR

93.51.177.66 IT

93.51.177.67 IT

93.51.177.68 IT

93.51.177.69 IT
93.51.177.70 IT

96.67.145.115 US

96.80.68.193 US

96.80.68.194 US

96.80.68.195 US

96.80.68.196 US

96.80.68.197 US

97.87.91.211 US

97.87.91.212 US

97.87.91.213 US

97.87.91.214 US

97.87.91.215 US

97.87.91.216 US

97.87.91.217 US

97.87.91.218 US

97.87.91.219 US
100.42.249.124 CA

100.43.220.234 US

100.43.220.235 US

100.43.220.236 US

100.43.220.237 US

100.43.220.238 US

102.50.244.205 MA

105.157.69.243 MA

105.159.248.137 MA

109.192.30.125 DE

137.103.44.146 US

148.76.89.2 US

148.76.89.3 US

148.76.89.4 US

148.76.89.5 US

148.76.89.6 US
151.0.169.240 IT

151.0.169.241 IT

151.0.169.242 IT

151.0.169.243 IT

151.0.169.244 IT

151.0.169.245 IT

151.0.169.246 IT

151.0.169.247 IT

151.0.169.250 IT

151.0.185.146 IT

151.0.185.147 IT

151.0.185.148 IT

151.0.185.149 IT

151.0.185.150 IT

151.84.220.205 IT

156.67.22.130 IT
 162.17.254.17 US

162.226.120.185 US

162.226.120.186 US

162.226.120.187 US

162.226.120.188 US

162.226.120.189 US

178.251.78.84 IT

178.251.78.85 IT

178.251.78.86 IT

182.73.50.114 IN

182.73.50.115 IN

183.171.8.8 MY

184.185.80.174 US

185.82.169.99 IT

185.82.169.99 IT

185.198.198.254 TR
 188.125.98.34 IT

188.125.98.42 IT

188.125.98.43 IT

188.125.98.45 IT

188.152.254.170 IT

190.5.142.154 SV

190.5.142.155 SV

194.219.4.77 GR

194.243.24.214 IT

198.0.120.242 US

198.0.120.243 US

205.237.46.215 CA

208.81.37.50 US

208.81.37.55 US

208.81.37.56 US

208.81.37.57 US
 208.81.37.58 US

208.81.37.59 US

208.81.37.60 US

208.81.37.61 US

209.33.154.42 US

209.33.154.43 US

209.33.154.44 US

209.33.154.45 US

209.33.154.46 US

209.162.240.245 CA

209.181.47.54 US

212.31.113.18 CY

212.103.208.182 IT

212.103.222.218 IT

212.202.147.10 DE

212.234.179.113 FR
 213.166.202.194 FR

216.211.37.59 CA

217.57.78.18 IT

217.57.80.18 IT

217.141.177.210 IT

218.161.2.56 TW

Note: The IP addresses in bold were live C&Cs at the time of authoring this report.

Appendix A: Observed TCP Ports of Cyclops Blink C&Cs

TCP Ports

636

989

990

992

994

995

3269
 8443

Appendix A: SSL Certificates of Cyclops Blink C&Cs

SHA-1 Fingerprint SSL Certificates Date Issued Expiration Date

032b81932632de35c638fb3a162e61a859ec96a7 6/13/19 6/10/29

1d78109c682633a692d97e3a0e445ac346204eb4 6/13/19 6/10/29

3438ba29aa7326c06e2d0d1fdf4677fc3f890579 6/13/19 6/10/29

3a938bf9cdb34a50b10227e1452b3a2382f1cfbf 6/13/19 6/10/29

5dde5b3c50e897fa98daff8fe6bb90d0bccf7410 6/13/19 6/10/29

645b4017bb86b3cd9adf87d78b6c2cf32257332a 6/13/19 6/10/29

9749568682af219c4a7edc3f1f5e077fea3b3199 6/13/19 6/10/29

9ae317167849c02294b1d1f5cc42a26d1e112a0a 6/13/19 6/10/29

a2850e272e78d4ec72c3997593696a9201e6ea3a 6/13/19 6/10/29

fc6f3f7343bd028f7e9aefd5fc239a4456e08a24 6/13/19 6/10/29

341fba1927b3367bb562e2561047cca1b6e10355 11/6/19 11/3/29

97e07c31ae997c73d0bd5b989c4d457ec43222fe 11/6/19 11/3/29

c37c2e56aff660b1445105de510506c3a648b679 11/6/19 11/3/29

fe4aaacdf2d36691ca4065f59ea4103d73797830 11/6/19 11/3/29

78c911793dcd9011f99ffacd145fc31a4b8aed47 11/7/19 11/4/29

3781d0b7084bb8491b1c05f325252aebd0f41c86 11/20/19 11/17/29

3a243509406a802a25cb54b8c91f760a7818b053 11/20/19 11/17/29

561ba51b42834e4117caa2ccacc316f8842fdf2d 11/20/19 11/17/29

59d414fda0be25c2cc62c23f0cf73e992699e3d2 11/20/19 11/17/29

6a862edfafe169621fd0205ac4cdfb75e8d0237b 11/20/19 11/17/29

a10eeeb0e26224d330668ec0c17d71f0e45330df 11/20/19 11/17/29

2dbeb423407a5e465b3150c5cdc5037fe08f918c 1/10/20 1/7/30

dbea1a0ac979df94f04431e9a8b10a63d7881b6c 1/10/20 1/7/30

ed30a5645350a75de6ac80699a068444f6426929 1/10/20 1/7/30

5fdd710e8f514a30bd73ba466f5f36caa0e0b591 6/8/20 6/6/30

6df2b3368f17ac97060986ae83c1753af087e152 6/8/20 6/6/30

80b899d4ad0d0062357aa1fc64568602aed4a650 6/8/20 6/6/30

8689ec491dec95a72a56d5c61fbe396fc38f89c4 6/8/20 6/6/30

8f2d4b671412f4f110625374e379bd698bda5160 6/8/20 6/6/30

9ca27e887b6809ff2d41a936b1453e4da7ab1092 6/8/20 6/6/30

e0febc8fe7ff14bdb5d070f7510964b88473576f 6/8/20 6/6/30

f349504661e647fb7b431fa4934a8623cc1661d2 6/8/20 6/6/30

f7922b3b9bca298b41260100f45e93974e6f1eba 6/8/20 6/6/30

b842552d6f19fb05fc2283e015122878d459c60a 7/15/20 7/13/30

47bf0f22402bb85c33720ec1a9a5ed85412a69be 1/15/21 1/13/31

57efcc6b354bfb23e0dc4f6e828e0dd50905be4b 1/15/21 1/13/31

821c012e736a45ffca188f8f77d9e6a34c177bbf 1/15/21 1/13/31

9b85aed5497d7b63619494fe5780e10cd564db15 1/15/21 1/13/31

a1930fef8f879fadf218661967d7ec97f048d1c0 1/15/21 1/13/31

c008fda4b34dfcdf35faf0ad7850ccece13fdd10 1/15/21 1/13/31

d5a7f453a577b2d38b0adf26612e6a4197dea064 1/15/21 1/13/31

fde64cec72d21dbfad2d29aed997bea562912245 1/15/21 1/13/31

14cfe6615b4198d7c948ad32b9a16a73e00a42b3 1/18/21 1/16/31

1db4a62936f13aa12d56bbf48811ba0d12cb43e1 1/18/21 1/16/31

713a6024f483b6669798a1666962ca9b842f0d30 1/18/21 1/16/31

 8d374b3e19afa0321f7dfef64990d0940f77ae86 1/18/21 1/16/31

9a7bc345225dfc8ef4c06ab6741345f44cc3eede 1/18/21 1/16/31

223ef00e4c351831ab12f986b8b205f8d845ecee 1/20/21 1/18/31

4005125d4d437b91e9531e7397233d5e1cbfbee3 1/20/21 1/18/31

4510ef44b806ed718f7c87d6993a4cb22e93000d 1/20/21 1/18/31

49d89c7f1b304d7f12ccf0a7d6cbea830e44c4f9 1/20/21 1/18/31

5ea1e512c0d3708cafef682fffc84d193ec36add 1/20/21 1/18/31

7350e6fa073c65ac8e7f26aead5e84792e358910 1/20/21 1/18/31

a397af8074cc1a19d57cbaf0230b1b7c9880ddbf 1/20/21 1/18/31

7339f3584a2d8d63e3b78136d530dda6ab3b6749 2/10/21 2/8/31

408da97d8e4911b2461b44792dc7c2c253efc91f 12/20/21 12/18/31

88ca87a3b38080d85690538f3dfe7843eefbce19 12/20/21 12/18/31

TREND MICROTM RESEARCH

Trend Micro, a global leader in cybersecurity, helps to make the world safe for exchanging digital information.

Trend Micro Research is powered by experts who are passionate about discovering new threats, sharing key insights, and
supporting efforts to stop cybercriminals. Our global team helps identify millions of threats daily, leads the industry in
vulnerability disclosures, and publishes innovative research on new threats techniques. We continually work to anticipate new
threats and deliver thought-provoking research.

www.trendmicro.com