Currently viewing ATT&CK v18.1 which is the current version of ATT&CK. Learn more about the versioning system or see the live site.
ATT&CK v18 has been released! Check out the blog post or changelog for more information.
  1. Home
  2. Software
  3. KOCTOPUS

KOCTOPUS

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.[1]

ID: S0669
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 06 December 2021
Last Modified: 17 November 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

KOCTOPUS has used PowerShell commands to download additional files.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

KOCTOPUS has used cmd.exe and batch files for execution.[1]
.005 Command and Scripting Interpreter: Visual Basic

KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

KOCTOPUS has deobfuscated itself before executing its commands.[1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.[1]
Enterprise T1070 .009 Indicator Removal: Clear Persistence

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.[1]
Enterprise T1105 Ingress Tool Transfer

KOCTOPUS has executed a PowerShell command to download a file to the system.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[2]

Enterprise T1112 Modify Registry

KOCTOPUS has added and deleted keys from the Registry.[1]
Enterprise T1106 Native API

KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

KOCTOPUS has obfuscated scripts with the BatchEncryption tool.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

KOCTOPUS has been distributed via spearphishing emails with malicious attachments.[1]
.002 Phishing: Spearphishing Link

KOCTOPUS has been distributed as a malicious link within an email.[1]
Enterprise T1090 Proxy

KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.[1]
Enterprise T1082 System Information Discovery

KOCTOPUS has checked the OS version using wmic.exe and the find command.[1]
Enterprise T1204 .001 User Execution: Malicious Link

KOCTOPUS has relied on victims clicking on a malicious link delivered via email.[1]
.002 User Execution: Malicious File

KOCTOPUS has relied on victims clicking a malicious document for execution.[1]

Groups That Use This Software

ID Name References
G0140 LazyScripter

[1]

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  1. Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.