Cyberespionage group uses popular messenger’s brand for targeted attacks on Central Asian diplomatic entities

Kaspersky Lab researchers have discovered a wave of cyber-espionage targeted attacks aimed at Central Asian diplomatic organizations. The Trojan called “Octopus”, disguised as a version of a popular and legitimate online messenger, was attracting users amid the news of a possible ban on Telegram messenger in the region. Once installed, Octopus provided attackers with remote access to victims’ computers.

Threat actors distributed Octopus within an archive disguised as an alternative version of Telegram messenger for Kazakh opposition parties. The launcher was disguised with a recognizable symbol of one of the opposition political parties from the region, and the Trojan was hidden inside. Once activated, the Trojan gave the actors behind the malware opportunities to perform various operations with data on the infected computer, including, but not limited to, deletion, blocks, modifications, copying and downloading. Thus, the attackers were able to spy on victims, steal sensitive data and gain backdoor access to the systems. The scheme has some similarities with an infamous cyber-espionage operation called Zoo Park, in which the malware used for the APT was mimicking a Telegram application to spy on victims.

Using Kaspersky algorithms that recognize similarities in software code, security researchers discovered that Octopus could have links to DustSquad – a Russian-speaking cyber-espionage actor previously detected in former USSR countries in Central Asia, as well as Afghanistan, since 2014. Within the last two years the researchers have detected four of their campaigns with custom Android and Windows malware aimed both at private users and diplomatic entities.

To reduce the risk of sophisticated cyber attacks, Kaspersky Lab recommends implementing the following measures:

·Educate staff on digital hygiene and explain how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.

·Use a robust endpoint security solution with Application Control functionality that limits an application’s ability to launch or access critical system resources.

·Implement a set of solutions and technologies against targeted attacks such as Kaspersky Anti Targeted Attack Platform and Kaspersky EDR. These can help detect malicious activity across the network and effectively investigate and respond to attacks by blocking their progress.