Octopus Scanner

The Octopus Scanner is a recently spotted threat that was present in several GitHub projects, which were available publicly. The projects in question were developed via the Apache NetBeans IDE (Integrated Development Environment) service.

After studying this threat, cybersecurity analysts found that the Octopus Scanner has been programmed to scan the compromised host for available Apache NetBeans IDE projects. When the Octopus Scanner detects an accessible project, it will inject its code into it. This allows the Octopus Scanner to propagate itself silently via compromised Apache NetBeans IDE projects that have been uploaded online. However, the Octopus Scanner also is capable of taking over the infected hosts by deploying a RAT (Remote Access Trojan) created in the JAVA programming language.

The first time malware experts came across the Octopus Scanner was in August 2018. According to researchers, there have been 26 GitHub projects that contain the corrupted code of the Octopus Scanner, which is a rather low infection count. This is likely due to the fact that the Octopus Scanner’s criteria limits its reach severely. Despite its limited reach, the Octopus Scanner has one key privilege – this threat infects systems that are used for the development of various software. The creators of the Octopus Scanner have likely added the feature that allows them to take control over a system in case they manage to breach a large company involved in software development. This would allow the authors of the Octopus Scanner to obtain confidential documents, unreleased tools, projects, etc. Getting access to such data may allow the creators of the Octopus Scanner to plant a corrupted code into the company’s products, which will be offered to the public.

It is intriguing why the authors of the Octopus Scanner have opted to target developers using the Apache NetBeans IDE, as it is not among the most popular tools for creating software.