S0340 Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.231
| Item | Value |
|---|---|
| ID | S0340 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 30 January 2019 |
| Last Modified | 06 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Octopus has used HTTP GET and POST requests for C2 communications.21 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Octopus has compressed data before exfiltrating it using a tool called Abbrevia.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Octopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to the Registry.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Octopus has encoded C2 communications in Base64.2 |
| enterprise | T1005 | Data from Local System | Octopus can exfiltrate files from the system using a documents collector tool.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Octopus has stored collected information in the Application Data directory on a compromised host.21 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Octopus has uploaded stolen files and data from a victim’s machine over its C2 channel.2 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Octopus has exfiltrated data to file sharing sites.1 |
| enterprise | T1083 | File and Directory Discovery | Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.231 |
| enterprise | T1105 | Ingress Tool Transfer | Octopus can download additional files and tools onto the victim’s machine.231 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.21 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Octopus has been delivered via spearsphishing emails.1 |
| enterprise | T1113 | Screen Capture | Octopus can capture screenshots of the victims’ machine.231 |
| enterprise | T1082 | System Information Discovery | Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.2 |
| enterprise | T1016 | System Network Configuration Discovery | Octopus can collect the host IP address from the victim’s machine.2 |
| enterprise | T1033 | System Owner/User Discovery | Octopus can collect the username from the victim’s machine.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.1 |
| enterprise | T1047 | Windows Management Instrumentation | Octopus has used wmic.exe for local discovery information.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0133 | Nomadic Octopus | 321 |
References
-
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. ↩↩↩↩↩