Octopus Trojan exploits Telegram ban fears to snag diplomatic targets across Asia

A fresh attack wave is launching Octopus at diplomatic organizations across the region.

Researchers have uncovered the Octopus Trojan in a wave of cyberattacks being launched against diplomatic entities across central Asia.

According to cybersecurity firm Kaspersky Lab, the targeted campaign has used the recent ban of Telegram messenger across Russia and reported attempts to ban the service across some former Soviet areas such as Kazakhstan to dupe victims into believing they are downloading an accessible, legitimate version of the true communications service.

The malicious payload looks like the legitimate Telegram messenger app but instead provides a remote access conduit for attackers to hijack victim PCs.

CNET: Chinese trojan detected spreading through fake base stations

Kaspersky Lab believes the new campaign may have links to the Russian-speaking threat group DustSquad, which has been active across central Asia since 2014.

DustSquad has been tracked in attacks against private users and diplomatic organizations and has developed custom Android and Windows malware for these assaults in the past.

"We have seen a lot of threat actors targeting diplomatic entities in central Asia in 2018," said Denis Legezo, security researcher at Kaspersky Lab. "DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this regions' cyber affairs is growing steadily."

DustSquad is unusual in its programming choice for the Octopus Trojan; making use of Delphi and third-party libraries such as the Indy Project for JSON-based command-and-control (C2) server communications and TurboPower Abbrevia for compression capabilities.

The Octopus Trojan is packed in an archive dubbed DVK -- "Democratic Choice of Kazakhstan" -- and is disguised as a variant of Telegram messenger built for Kazakh opposition parties in Kazakhstan. No such software actually exists.

The country threatened to ban Telegram in April unless the company agreed to delete all content produced across the platform by DVK.

The threat actors behind the malicious app disguise the Trojan's launcher with a recognized symbol from the political party. Once activated, Octopus is able to perform tasks including data theft and deletion, enable backdoor access, and conduct surveillance.

However, there seems to have been little effort applied to prevent suspicion being aroused through the malicious software as the developers have not included any real mailing or communications features.

Such an oversight would likely raise a red flag and alert victims, but Kaspersky believes this lack of finesse may be due to the malware being developed "in a hurry."

TechRepublic: Evrial Trojan can steal what's saved on your Windows Clipboard, including Bitcoins

Persistence is achieved through the system registry in a simple manner, and server-side, commercial hosting with .PHP scripts and hardcoded IP addresses are utilized rather than anything more advanced, such as bulletproof hosting.

The researchers are unsure of how this malware is spreading, but given that the malicious software is targeted towards specific political and diplomatic organizations, it is likely that social engineering plays a large part in the operation.

See also: Adwind Trojan circumvents antivirus software to infect your PC

"From our experience, we can say that the interest shown by threat actors in this region is now high, and the traditional 'players' have been joined by relative newcomers like DustSquad that have sprung up locally," Kaspersky Lab says. "Interestingly, we observed some victims who are 'threat magnets' targeted by all of them."

Previous and related coverage