Malware analysis

Octopus Scanner malware: What it is, how it works and how to prevent it | Malware spotlight

Daniel Dimov
December 9, 2020 by
Daniel Dimov

Introduction

Octopus Scanner appeared somewhere in 2018. Although its creators are still unknown, the operation of Octopus Scanner has been extensively discussed in numerous information security publications. This type of malware attacks repositories on the GitHub system. Infections with Octopus Scanner occur after a developer downloads an infected repository and uses it to create a software program. Octopus Scanner is a backdoor malware allowing its creators to get information from the infected users.

It is unusual for a malware to attack software developers and platforms used for the development of open source software. A representative of GitHub summarized the reason for the appearance of Octopus Scanner as follows:

“Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets. There is a huge potential for escalation of access, which is a core attacker objective in most cases.”

The purpose of this article is to examine the operation of Octopus Scanner and provide recommendations on how to avoid an infection with it. 

Before proceeding with the next section, it is worth explaining the meaning of the term “GitHub.” It is an online service based on Git, a free and open-source system that enables its users to track changes in source code in the course of source development. Git was developed by the creator of Linux, Linus Torvalds.

The operation of Octopus Scanner

Octopus Scanner becomes activated after a developer downloads an infected project from GitHub and builds software based on it. Once activated, Octopus Scanner scans the infected computer with the aim to find out whether a NetBeans IDE is installed on it. NetBeans IDE is a Java-based integrated development environment.

If the targeted computer does not include NetBeans IDE, Octopus Scanner will not take any further action. However, if Octopus Scanner detects NetBeans IDE, it will infect the build files with a dropper. The term “dropper” refers to a type of malware that aims to install other malware. In the case of Octopus Scanner, the dropper installs a remote access Trojan (RAT).

The RAT allows the attackers to take control over the infected machine. Another important feature of Octopus Scanner is that it does not allow the replacement of the infected project with a new project, thus ensuring that the malware will not be deleted. Furthermore, Octopus Scanner infects not only built files, but also the source code of the infected projects.

GitHub Security Labs scanned all repositories on GitHub and found that 26 of them contain the malware. GitHub found that Octopus Scanner is difficult to be detected by anti-malware applications. Octopus Scanner was particularly difficult to be removed by GitHub because the developers owning the repositories did not know about the infection and, therefore, were using them for the development of legitimate software. Thus, if GitHub shuts down the repositories and deletes the account, the company will negatively impact the development of various legitimate software applications.

Prevention against Octopus Scanner

A simple way to protect against Octopus Scanner is not using NetBeans. This should not be difficult as it is not the most commonly used Java IDE. Other methods include the use of the GitHub Dependency Graph, automated security updates, code scanning and security alerts for vulnerable dependencies. These methods will be discussed in detail below.

The Dependency Graph allows GitHub users to see vulnerabilities detected in dependencies of repositories. The dependencies are presented in the form of an ecosystem.

By configuring GitHub Dependabot, users can receive automated security updates. Each of them provides instructions on how to efficiently integrate a security update in a project. The instructions include, but are not limited to, release notes, changelog entries and commit details.

Another way to protect against Octopus Scanner and other similar malware is to use code scanning. It allows developers to quickly and automatically scan code in a GitHub repository with the aim to find coding errors and security vulnerabilities. Users of GitHub are able to schedule code scanning for specific days and times or when a specific event (e.g., a push) occurs. If the scanning process identifies an error or a potential vulnerability, GitHub will display an alert in the repository. Once the user fixes the vulnerability, the alert will disappear. The code scanning functionality covers both compiled and interpreted languages, including C#, C/C++, Go, JavaScript/TypeScript, Java and Python.

Conclusion

Octopus Scanner constitutes a serious threat for open-source projects and, therefore, does not need to be underestimated. Once it affects certain GitHub repositories, it cannot be quickly removed because a quick deletion may affect the development of legitimate software. 

Until Octopus Scanner is removed, it can continue infecting other computers and stealing sensitive data. In this regard, Brian Fox, a cybersecurity specialist, noted: “What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project, so a developer ends up using and distributing the mutated code to their team or community of open source users.”

As in relation to other malware applications, the prevention of Octopus Scanner is better than the remediation. 

In this article, we discussed various methods for preventing an infection with Octopus Scanner. For ensuring the maximum possible information security, it is preferable if those methods are used cumulatively. 

 

Sources

Github uncovers malicious ‘Octopus Scanner’ targeting developers, Naked Security

How Octopus Scanner malware attacked the open source supply chain, The Daily Swig

The Octopus Scanner Malware: Attacking the open source supply chain, securitylab.github.com

Octopus Scanner Sinks Tentacles into GitHub Repositories, Threatpost

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.