Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

KOCTOPUS

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)

ID: S0669

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 06 Dec 2021

Last Modified: 29 Jul 2022

Domain	ID		Name	Use
Techniques Used
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	KOCTOPUS can set the AutoRun Registry key with a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	KOCTOPUS has used PowerShell commands to download additional files.(Citation: MalwareBytes LazyScripter Feb 2021)
		.003	Command and Scripting Interpreter: Windows Command Shell	KOCTOPUS has used `cmd.exe` and batch files for execution.(Citation: MalwareBytes LazyScripter Feb 2021)
		.005	Command and Scripting Interpreter: Visual Basic	KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1564	.003	Hide Artifacts: Hidden Window	KOCTOPUS has used `-WindowsStyle Hidden` to hide the command window.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1070	.009	Indicator Removal: Clear Persistence	KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	KOCTOPUS has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021)
		.002	Phishing: Spearphishing Link	KOCTOPUS has been distributed as a malicious link within an email.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	KOCTOPUS has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes LazyScripter Feb 2021)
		.002	User Execution: Malicious File	KOCTOPUS has relied on victims clicking a malicious document for execution.(Citation: MalwareBytes LazyScripter Feb 2021)

ID	Name	References
Groups That Use This Software
G0140	LazyScripter	(Citation: MalwareBytes LazyScripter Feb 2021)

References

Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

KOCTOPUS

Techniques Used

Groups That Use This Software

References