Octopus is a Windows Trojan that has been used by Nomadic octopus to target government organizations in Central Asia since at least 2014. The Trojan can capture screenshots of the victim's machine, collect the username from the victim's machine, and upload stolen files and data from a victim's machine over its C2 channel. Octopus has also exfiltrated data to file sharing sites and relied upon users clicking on a malicious attachment delivered through spearphishing.
Octopus Malware Capabilities
Octopus may use a variety of techniques to collect information and exfiltrate data from a target system. These include taking screenshots, encoding data, stealing data, and using cloud storage services. Octopus may also transfer tools or other files from an external system into a compromised environment.Octopus may conduct various forms of discovery in order to gather information about the target system and network. This information may be used to determine how to best infect the system and evade detection. Octopus may also stage collected data in a central location prior to exfiltration.
- Octopus may attempt to take screen captures of the desktop to gather information over the course of an operation. Additionally, Octopus may abuse Windows Management Instrumentation to execute malicious commands and payloads. Remote access is facilitated by Distributed Component Object Model and Windows Remote Management. Data encoding schemes that may be used include ASCII, Unicode, hexadecimal, Base64, and MIME.
- The Octopus malware may attempt to collect information on users of a system, including account names and active sessions. This information may be used to determine whether or not to fully infect the system and/or carry out specific actions. Data may be exfiltrated to a cloud storage service instead of over the primary command and control channel.
- The Octopus adversary may use various files that require user execution in order to gain code execution on a victim system. These files may be transferred from an external system via the command and control channel or other protocols such as FTP. Once on the system, the adversary may use utilities to compress and/or encrypt the data prior to exfiltration.
- The Octopus malware may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may be used to shape follow-on behaviors
- Octopus may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
- The Octopus malware may collect data from a target system and stage it in a central location for exfiltration. It may use application layer protocols associated with web traffic to avoid detection.
- Octopus may conduct network reconnaissance to gather information about potential targets, and may also send spearphishing emails with malicious attachments in an attempt to gain access to victim systems. Octopus may also use evasive tactics, such as matching or approximating the name or location of legitimate files or resources, to avoid detection.
Ways to Mitigate Octopus Malware Attacks
- The Octopus malware is a remote access tool that uses the Windows Management Instrumentation (WMI) to gain control of a system. It can be used to capture screenshots and collect information about the system and its users. To mitigate this malware, it is recommended to monitor for unusual process behavior, monitor for WMI connections, and capture and analyze network traffic.
- The Octopus malware is difficult to detect and mitigate due to its ability to adapt to different environments. System and network discovery techniques are necessary to identify unusual activity that may be associated with the malware. Analysis of network data can help to identify suspicious activity and communications that do not follow expected protocol behavior. User behavior monitoring may also be helpful in identifying abnormal patterns of activity associated with the malware.
- The Octopus malware mitigation strategy includes monitoring for file creation and files transferred into the network, as well as unusual processes with external network connections that create files on-system. Additionally, common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities.
- The Octopus malware can be mitigated by monitoring processes and command-line arguments for actions that could be taken to collect files from a system, as well as by monitoring Registry changes and startup programs for changes that could be attempts at persistence.
- The Octopus malware mitigation techniques involve monitoring process activity for signs of data staging, such as compression and encryption of files, and also analyzing network data flows for unusual patterns that could indicate malicious activity. These measures can help to detect and prevent data exfiltration by adversaries.
- The Octopus malware can be mitigated by using system and network discovery techniques, as well as by using intrusion detection systems and email gateways. Additionally, file hashes can be collected and monitored for changes, and files that are modified outside of an update or patch are suspect.
About Nomadic octopus Threat Group
Nomadic octopus is a Russian-speaking cyberespionage threat group that has primarily targeted Central Asia since at least 2014, conducting campaigns involving Android and Windows malware.