An attack aimed at Central Asian diplomatic organizations, dubbed the Octopus Trojan, is able to disguise itself as a popular online messenger, according to researchers at Kaspersky Lab.
The Trojan, a malicious program for Windows, has possible links to DustSquad, a Russian-language cyber-espionage actor that focuses on Central Asian users that Kaspersky researchers have been monitoring for two years.
Attackers successfully leveraged the news that the widely used Telegram messenger may become banned in Kazakhstan. The Trojan was distributed in a package that appeared to be a legitimate version of the Telegram messenger for Kazakh opposition parties, researchers said. Once installed, Octopus gives attackers remote access to victims’ computers.
“The launcher was disguised with a recognizable symbol of one of the opposing political parties from the region, and the Trojan was hidden inside. Once activated, the Trojan gave the actors behind the malware opportunities to perform various operations with data on the infected computer, including (but not limited to) deletion, blocks, modifications, copying and downloading,” researchers wrote.
Via remote access, the attackers were able to spy on victims, steal sensitive data and gain backdoor access to the systems. “We have seen a lot of threat actors targeting diplomatic entities in Central Asia in 2018,” said Denis Legezo, security researcher, Kaspersky Lab, in a press release.
“DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this region’s cyber affairs is growing steadily. We strongly advise users and organizations in the region to keep an eye on their systems and instruct employees to do the same.”
Kaspersky Lab recommends that organizations educate staff on digital hygiene in order to reduce risk. In addition, robust endpoint security solution with application control functionality can strengthen defenses.