Introduction
Octopus Scanner appeared somewhere in 2018. Although its creators are still unknown, the operation of Octopus Scanner has been extensively discussed in numerous information security publications. This type of malware attacks repositories on the GitHub system. Infections with Octopus Scanner occur after a developer downloads an infected repository and uses it to create a software program. Octopus Scanner is a backdoor malware allowing its creators to get information from the infected users.
It is unusual for a malware to attack software developers and platforms used for the development of open source software. A representative of GitHub summarized the reason for the appearance of Octopus Scanner as follows:
“Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets. There is a huge potential for escalation of access, which is a core attacker objective in most cases.”
The purpose of this article is to examine the operation of Octopus Scanner and provide recommendations on how to avoid an infection with it.
Before proceeding with the next section, it is worth explaining the meaning of the term “GitHub.” It is an online service based on Git, a free and open-source system that enables its users to track changes in source code in the course of source development. Git was developed by the creator of Linux, Linus Torvalds.
The operation of Octopus Scanner
Octopus Scanner becomes activated after a developer downloads an infected project from GitHub and builds software based on it. Once activated, Octopus Scanner scans the infected computer with the aim to find out whether a NetBeans IDE is installed on it. NetBeans IDE is a Java-based integrated development environment.
If the targeted computer does not include NetBeans IDE, Octopus Scanner will not take any further action. However, if Octopus Scanner detects NetBeans IDE, it will infect the build files with a dropper. The term “dropper” refers to a type of malware that aims to install other malware. In the case of Octopus Scanner, the dropper installs a remote access Trojan (RAT).
The RAT allows the attackers to take control over the infected machine. Another important feature of Octopus Scanner is that it does not allow the replacement of the infected project with a new project, thus ensuring that the malware will not be deleted. Furthermore, Octopus Scanner infects not only built files, but also the source code of the infected projects.
GitHub Security Labs scanned all repositories on GitHub and found that 26 of them contain the malware. GitHub found that Octopus Scanner is difficult to be detected by anti-malware applications. Octopus Scanner was particularly difficult to be removed by GitHub because the developers owning the repositories did not know about the infection and, therefore, were using them for the development of legitimate software. Thus, if GitHub shuts down the repositories and deletes the account, the company will negatively impact the development of various legitimate software applications.
