1. Home
  2. Software
  3. KOCTOPUS

KOCTOPUS

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.[1]

ID: S0669
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 06 December 2021
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[2]

Enterprise T1112 修改注册表

KOCTOPUS has added and deleted keys from the Registry.[1]
Enterprise T1140 反混淆/解码文件或信息

KOCTOPUS has deobfuscated itself before executing its commands.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

KOCTOPUS has used PowerShell commands to download additional files.[1]
.003 命令与脚本解释器: Windows Command Shell

KOCTOPUS has used cmd.exe and batch files for execution.[1]
.005 命令与脚本解释器: Visual Basic

KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.[1]
Enterprise T1106 本机API

KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

KOCTOPUS has obfuscated scripts with the BatchEncryption tool.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.[1]
Enterprise T1204 .001 用户执行: Malicious Link

KOCTOPUS has relied on victims clicking on a malicious link delivered via email.[1]
.002 用户执行: Malicious File

KOCTOPUS has relied on victims clicking a malicious document for execution.[1]

Enterprise T1070 .009 移除指标: Clear Persistence

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.[1]
Enterprise T1082 系统信息发现

KOCTOPUS has checked the OS version using wmic.exe and the find command.[1]
Enterprise T1105 输入工具传输

KOCTOPUS has executed a PowerShell command to download a file to the system.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

KOCTOPUS has been distributed via spearphishing emails with malicious attachments.[1]
.002 钓鱼: Spearphishing Link

KOCTOPUS has been distributed as a malicious link within an email.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.[1]

Groups That Use This Software

ID Name References
G0140 LazyScripter

[1]

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  1. Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.