# Nomadic Octopus

#### Cyber espionage in Central Asia

###### Anton Cherepanov | Senior Malware Researcher


-----

-----

#### y p p g


-----

#### y


-----

-----

-----

## • First detection in 2015
 • Email - December 2016
 • PHDays 2017
 • Virus Bulletin 2018


-----

#### p g


-----

#### p g


-----

#### p


-----

-----

-----

#### y


-----

-----

## File sharing hosting:
 • http://php-studia.ru/upload/ (defunct)
 • http://www.fayloobmennik.net/


-----

###### Password


###### Password


-----

#### p


-----

###### SessionTime is used as filename:


#### g

###### 10/04/2018 @ 3:00pm (UTC) – 1538665200.tmp 10/04/2018 @ 3:30am (UTC) – 1538623800.tmp


###### 10/04/2018 @ 3:00pm (UTC) – 10/04/2018 @ 3:30am (UTC) –


-----

### y


-----

### • First file: 1457893802.tmp - GMT: 13 Mar 2016 18:30
 • Biggest file ~770 Mb
 • Total 280 archives (~16Gb of compressed data)
 • Mostly documents:

 • doc, docx, xls, xlsx, rtf, txt, pdf, jpg


-----

### 120MondayTuesdayWednesdayThursdayFridaySaturdaySunday 100 80 60 40 20 0

|MW|Upload dates: Weekdays|Col3|Col4|Col5|Col6|Col7|Col8|
|---|---|---|---|---|---|---|---|
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||


-----

###### 90

 80

 70

 60

 50

 40

 30

 20

 10

 0

|Col1|Upload dates: Hours (GMT)|
|---|---|
|||
|||
|||
||Lunch time|
|||
|||
|||
|||


-----

### p
###### UTC+5 UTC+6


-----

-----

-----

### p gy

 • Political blogger from Kazakhstan
 • Local governments
 • Diplomatic missions in Central Asia


-----

-----

### g g


-----

### p p


-----

### g


-----

##### Password: iM2d$xP(84Y!YV49uFO@kJm5O&2l5AFs


-----

##### Password: iM2d$xP(84Y!YV49uFO@kJm5O&2l5AFs


-----

-----

#### p



## • Custom malware
 • Cyberespionage
 • Region specific: Central Asia
 • Low budget
 • Bad OPSEC


-----

## Anton Cherepanov

###### Senior Malware Researcher

 @cherepanov74


-----