Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

KOCTOPUS

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)
ID: S0669
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 06 Dec 2021
Last Modified: 22 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

KOCTOPUS can set the AutoRun Registry key with a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

KOCTOPUS has used PowerShell commands to download additional files.(Citation: MalwareBytes LazyScripter Feb 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

KOCTOPUS has used `cmd.exe` and batch files for execution.(Citation: MalwareBytes LazyScripter Feb 2021)

.005 Command and Scripting Interpreter: Visual Basic

KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1070 .009 Indicator Removal: Clear Persistence

KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.(Citation: Arghire LazyScripter)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

KOCTOPUS has obfuscated scripts with the BatchEncryption tool.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

KOCTOPUS has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021)

.002 Phishing: Spearphishing Link

KOCTOPUS has been distributed as a malicious link within an email.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1204 .001 User Execution: Malicious Link

KOCTOPUS has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes LazyScripter Feb 2021)

.002 User Execution: Malicious File

KOCTOPUS has relied on victims clicking a malicious document for execution.(Citation: MalwareBytes LazyScripter Feb 2021)

Groups That Use This Software

ID Name References
G0140 LazyScripter

(Citation: MalwareBytes LazyScripter Feb 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.