1. Home
  2. Software
  3. Octopus

Octopus

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]

ID: S0340
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 30 January 2019
Last Modified: 06 April 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Octopus has used wmic.exe for local discovery information.[1]
Enterprise T1005 从本地系统获取数据

Octopus can exfiltrate files from the system using a documents collector tool.[3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[1][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Octopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to the Registry.[1]
Enterprise T1113 屏幕捕获

Octopus can capture screenshots of the victims’ machine.[1][2][3]
Enterprise T1071 .001 应用层协议: Web Protocols

Octopus has used HTTP GET and POST requests for C2 communications.[1][3]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Octopus has compressed data before exfiltrating it using a tool called Abbrevia.[3]

Enterprise T1074 .001 数据分段: Local Data Staging

Octopus has stored collected information in the Application Data directory on a compromised host.[1][3]
Enterprise T1132 .001 数据编码: Standard Encoding

Octopus has encoded C2 communications in Base64.[1]
Enterprise T1083 文件和目录发现

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.[1][2][3]
Enterprise T1204 .002 用户执行: Malicious File

Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.[3]
Enterprise T1082 系统信息发现

Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.[1]
Enterprise T1033 系统所有者/用户发现

Octopus can collect the username from the victim’s machine.[1]
Enterprise T1016 系统网络配置发现

Octopus can collect the host IP address from the victim’s machine.[1]
Enterprise T1105 输入工具传输

Octopus can download additional files and tools onto the victim’s machine.[1][2][3]
Enterprise T1041 通过C2信道渗出

Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Octopus has exfiltrated data to file sharing sites.[3]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Octopus has been delivered via spearsphishing emails.[3]

Groups That Use This Software

ID Name References
G0133 Nomadic Octopus

[2][1][3]

References

  1. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  2. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  1. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.