1. Home
  2. Software
  3. Octopus

Octopus

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]

ID: S0340
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 30 January 2019
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Octopus has used HTTP GET and POST requests for C2 communications.[1][3]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Octopus has compressed data before exfiltrating it using a tool called Abbrevia.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Octopus achieved persistence by placing a malicious executable in the startup directory.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Octopus encodes C2 communications in Base64.[1]
Enterprise T1005 Data from Local System

Octopus can exfiltrate files from the system using a documents collector tool.[3]
Enterprise T1074 .001 Data Staged: Local Data Staging

Octopus has stored collected information in the Application Data directory on a compromised host.[1][3]
Enterprise T1041 Exfiltration Over C2 Channel

Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Octopus has exfiltrated data to file sharing sites.[3]
Enterprise T1083 File and Directory Discovery

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.[1][2][3]
Enterprise T1105 Ingress Tool Transfer

Octopus can download additional files and tools onto the victim’s machine.[1][2][3]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[1][3]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Octopus has been delivered via spearsphishing emails.[3]
Enterprise T1113 Screen Capture

Octopus can capture screenshots of the victims’ machine.[1][2][3]
Enterprise T1082 System Information Discovery

Octopus can collect system drive information, the computer name, and the size of the disk.[1]
Enterprise T1016 System Network Configuration Discovery

Octopus can collect the host IP address from the victim’s machine.[1]
Enterprise T1033 System Owner/User Discovery

Octopus can collect the username from the victim’s machine.[1]
Enterprise T1204 .002 User Execution: Malicious File

Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.[3]
Enterprise T1047 Windows Management Instrumentation

Octopus has used wmic.exe for local discovery information.[1]

Groups That Use This Software

ID Name References
G0133 Nomadic Octopus

[2][1][3]

References

  1. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  2. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  1. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.