A Russian-language cyber-espionage threat actor dubbed DustSquad is targeting Central Asian users and diplomatic entities using a malware, dubbed Octopus, designed to exploit the hype surrounding the Telegram app ban in Central Asia.
The malware is written in Delphi and was coined by ESET researchers in 2017 after the threat group used the 0ct0pus3.php script on their old C2 servers, according to an 15 October Kaspersky blog post.
"Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware)," researchers said. "Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them."
Earlier this year, the Russian government ordered the immediate blocking of the Telegram messaging app from the Apple App Store and Google Play Store, an imitation of the popular app made its rounds on Google Play.
Confusion surrounding the order left an opportunity for several imposter apps to fill the void of former users looking to get their social messaging fix.
Kaspersky researchers discovered a new Octopus sample packed into a ZIP file with a timestamp from February to March 2018, pretending to be communication software for a Kazakh opposition political group. The dropper for the malware pretends to be the Telegram Messenger app with a Russian interface.
The ZIP file was named dvkmailer.zip which stands for Kazakhstan Democratic Choice, an opposition political party that is prohibited in the country.
Researchers can’t confirm how the malware is being distributed, but noted that it is obviously using some form of social engineering to infect users noting that the threat actor has previously used spear phishing to spread the malware.
Researchers noted the Trojan uses third-party Delphi libraries like The Indy Project for JSON-based C2 communications and TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression and that the malware persistence is basic and achieved via the system registry.