Octopus Trojan disguises itself as Telegram messenger

Read time 2min 00sec
Diplomatic entities remain popular targets.
Diplomatic entities remain popular targets.

Researchers at Kaspersky Lab have identified a slew of cyber-espionage attacks aimed at Central Asian diplomatic organisations.

The Trojan dubbed 'Octopus' is being disguised as a version of the popular Telegram messenger. Once installed, it provides its authors with remote access to victims' machines.

The researchers speculate that this latest wave of attacks could be partly due to news of a possible ban on Telegram messenger in the region.

The malware's authors distributed Octopus within an archive that impersonated an alternative version of Telegram messenger for Kazakh opposition parties. The launcher was disguised with a well-known symbol of one of the opposition political parties in the region, and had the Trojan secreted inside.

Once activated, Octopus gives the attackers a means to carry out various operations with data on the infected computer, including deletion, blocks, modifications, copying and downloading.

In this way, the actors can spy on their targets, steal private information, and gain backdoor access to the systems. According to Kaspersky, there are similarities to another notorious cyber-espionage operation named Zoo Park, in which the malware used for the advanced persistent threat (APT) i was imitating a Telegram application to spy on victims.

By employing Kaspersky algorithms that recognise similarities in software code, the researchers found out that Octopus might have links to DustSquad - a Russian-speaking cyber-espionage threat actor previously detected in former USSR countries in Central Asia, as well as Afghanistan.

Within the last two years researchers have uncovered four DustSquad campaigns with custom Android and Windows malware aimed at private users and diplomatic entities alike.

Denis Legezo, a security researcher at Kaspersky Lab, says the company has seen a lot of cyber criminals targeting diplomatic entities in Central Asia in 2018.

"DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this regions' cyber affairs is growing steadily. We strongly advise users and organisations in the region to keep an eye on their systems and instruct employees to do the same," he says.

Login with