Octopus Scanner Malware

Severity: high
Author: NVISO
Source: upstream

Detects Octopus Scanner Malware.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1195` Supply Chain Compromise, `T1195.001` Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|endswith: '\AppData\Local\Microsoft\Cache134.dat'
TargetFilename|endswith: '\AppData\Local\Microsoft\ExplorerSync.db'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.