Nomadic Octopus
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.[2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Nomadic Octopus has used PowerShell for execution.[3] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Nomadic Octopus used |
||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.[2][3] |
| Enterprise | T1105 | 输入工具传输 |
Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[3] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.[1][3] |
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
Nomadic Octopus executed PowerShell in a hidden window.[3] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0340 | Octopus | [1][2][3] | Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Cloud Storage, 钓鱼: Spearphishing Attachment |