KOCTOPUS
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
KOCTOPUS can set the AutoRun Registry key with a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
KOCTOPUS has used PowerShell commands to download additional files.(Citation: MalwareBytes LazyScripter Feb 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
KOCTOPUS has used `cmd.exe` and batch files for execution.(Citation: MalwareBytes LazyScripter Feb 2021) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021) |
||
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
KOCTOPUS has used |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1070 | .009 | Indicator Removal: Clear Persistence |
KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.(Citation: Arghire LazyScripter) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
KOCTOPUS has obfuscated scripts with the BatchEncryption tool.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
KOCTOPUS has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021) |
.002 | Phishing: Spearphishing Link |
KOCTOPUS has been distributed as a malicious link within an email.(Citation: MalwareBytes LazyScripter Feb 2021) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
KOCTOPUS has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes LazyScripter Feb 2021) |
.002 | User Execution: Malicious File |
KOCTOPUS has relied on victims clicking a malicious document for execution.(Citation: MalwareBytes LazyScripter Feb 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0140 | LazyScripter |
(Citation: MalwareBytes LazyScripter Feb 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.