During the process you're offered the option of keeping the personal files and apps. If you really think you're infected, then a clean install is needed. To make sure, let our Security Team take a look: Malware Removal Help Posting Instructions
1 - 20 of 43 Posts
Done, but supposedly Cyclops Blink can survive that. I think I'm tossing the Asus router as the easiest solution, it is EOL so won't get additional firmware updates and supposedly this survives a factory reset.
more from techspot --
www.techspot.com
"The new Asus module is built to access and replace a router's flash memory. The botnet reads 80 bytes from the flash memory, writes it to the main communication pipe, and then waits for a command with the data needed to replace the content. A second module gathers data from the infected device and sends it to the C2 server. A third module, "file download (0x0f)," downloads files from the internet using DNS over HTTPS (DoH)."
and from here
"
Malware overview
The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.
Post exploitation
Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.
Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.....................
Mitigations
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware.
WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
The tooling and guidance from WatchGuard can be found at: Web Detector.
In addition:
Please refer to the accompanying Cyclops Blink malware analysis report for indicators of compromise which may help detect this activity"
so.... I don't know much but definitely stressing over this.
more from techspot --
Cyclops Blink botnet is attacking and actively exploiting Asus routers
Cyclops Blink is a Kremlin-linked malware that has existed since 2019. It is tied to the elite Sandworm hacking group. According to UK's National Cyber Security Centre...
www.techspot.com
"The new Asus module is built to access and replace a router's flash memory. The botnet reads 80 bytes from the flash memory, writes it to the main communication pipe, and then waits for a command with the data needed to replace the content. A second module gathers data from the infected device and sends it to the C2 server. A third module, "file download (0x0f)," downloads files from the internet using DNS over HTTPS (DoH)."
and from here
"
Malware overview
The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.
Post exploitation
Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.
Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.....................
Mitigations
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware.
WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
The tooling and guidance from WatchGuard can be found at: Web Detector.
In addition:
- If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations.
- You should ensure that the management interface of network devices is not exposed to the internet.
Please refer to the accompanying Cyclops Blink malware analysis report for indicators of compromise which may help detect this activity"
so.... I don't know much but definitely stressing over this.
I did get into the Bios but ---
It is a Lenovo ideapad 17in, not an Asus computer.
I got into the Bios, I disabled then reenabled Secure Boot. I was not able to find the UEFI setting or hard drive setting.
Then it was asking me for a Bitlocker key, I have never used Bitlocker, I did get the key though so now I can start the computer normally.
But please look at these screenshots of BIOS settings (some stuff redacted , I wasn't sure what was more personal so may have over-redacted)
I don't see where to get into the choices you mentioned above,
Advanced and look for Hard Drive mode. Is it set to IDE/Legacy? Or AHCI? it should be AHCI, If not this will not recognize the drive.
Also, Go to the Boot tab, is the computer setup for UEFI Bios, or Legacy/CSM
in fact I didn't see any advanced setting at all.
Here is the link to the Lenovo support for this model
but I couldn't find anything to help me get into advanced Bios settings.
When I have the USB disk with the Windows media loaded, it sees it (that usb is ESD-USB and it calls it C even though it is an external USB drive) and what it calls Boot drive letter X is actually the internal C drive. But I still get the error message when I try to reinstall Windows. When I take out the USB and restart everything looks ok and the C drive is definitely ok and working.
Please help.
![Computer Personal computer Output device Computer monitor Computer monitor accessory]()
![Computer Personal computer Rectangle Font Parallel]()
![Rectangle Font World Technology Electric blue]()
![Computer Personal computer Output device Gadget Computer monitor]()
![Computer Personal computer Computer monitor Output device Operating system]()
![Computer Personal computer Output device Peripheral Computer monitor]()
![Computer Personal computer Laptop Netbook Output device]()
It is a Lenovo ideapad 17in, not an Asus computer.
I got into the Bios, I disabled then reenabled Secure Boot. I was not able to find the UEFI setting or hard drive setting.
Then it was asking me for a Bitlocker key, I have never used Bitlocker, I did get the key though so now I can start the computer normally.
But please look at these screenshots of BIOS settings (some stuff redacted , I wasn't sure what was more personal so may have over-redacted)
I don't see where to get into the choices you mentioned above,
Advanced and look for Hard Drive mode. Is it set to IDE/Legacy? Or AHCI? it should be AHCI, If not this will not recognize the drive.
Also, Go to the Boot tab, is the computer setup for UEFI Bios, or Legacy/CSM
in fact I didn't see any advanced setting at all.
Here is the link to the Lenovo support for this model
but I couldn't find anything to help me get into advanced Bios settings.
When I have the USB disk with the Windows media loaded, it sees it (that usb is ESD-USB and it calls it C even though it is an external USB drive) and what it calls Boot drive letter X is actually the internal C drive. But I still get the error message when I try to reinstall Windows. When I take out the USB and restart everything looks ok and the C drive is definitely ok and working.
Please help.
Drive letters will change in the Recovery Environment.
In the Select the Drive to Install window, the only drive showing is the USB Flash drive.
You Have Blocked out the Make and Model # of the NVMe Drive.
The only Bootable devices are the Flash drive and the Ethernet Network Adapter.
There is something wrong with the NVMe drive. Try Removing it and Reseating it into the computer. If that fails, you can use a Standard SATA drive
It should look like this:
![Rectangle Font Screenshot Electronic device Parallel]()
In the Select the Drive to Install window, the only drive showing is the USB Flash drive.
You Have Blocked out the Make and Model # of the NVMe Drive.
The only Bootable devices are the Flash drive and the Ethernet Network Adapter.
There is something wrong with the NVMe drive. Try Removing it and Reseating it into the computer. If that fails, you can use a Standard SATA drive
It should look like this:
hi, what is the nvme drive? is that the normal C drive? see screenshot re make and model but everything works ok the rest of the time. doesn't that mean the C drive is ok? i don't know anything about partitions, i didn't partition it but i guess maybe it came with drivers in a different partition?
i am worried about pulling out the c drive (i would definitely be taking it to someone, way past what i can do in terms of hardware) if it seems to work fine in every other way. but do you think this is possibly malware? (have already been cleared in Malware forum though, just a day or two ago).
Definitely the BIOS isn't showing a bootable C drive and i don't understand that at all but especially that it powers on and boots completely normally.
![Font Circle Number Rectangle Pattern]()
i am worried about pulling out the c drive (i would definitely be taking it to someone, way past what i can do in terms of hardware) if it seems to work fine in every other way. but do you think this is possibly malware? (have already been cleared in Malware forum though, just a day or two ago).
Definitely the BIOS isn't showing a bootable C drive and i don't understand that at all but especially that it powers on and boots completely normally.
1 - 20 of 43 Posts
