author photo
By Clare O’Gara
Mon | Jun 1, 2020 | 8:18 AM PDT

With a name like Octopus Scanner, you might be picturing some kind of underwater malware with eight legs.

But this cyberattack operates a little differently. And according to the GitHub Security Incident Response Team (SIRT), which recently encountered this malware, it's extremely rare.

What is Octopus Scanner malware?

One of the things that makes the Octopus Scanner unique: it's picky.

In GitHub's case, the malware targeted NetBeans projects. And according to Nico Waisman, head of GitHub Security Lab, the Octopus Scanner is ideal for that kind of specificity:

"The unique feature around this malware is that it is targeting developers as the means of spreading. Once the computer gets infected, it looks for NetBeans files to infect."

When it lands on a device, the Octopus Scanner immediately searches for its target.

If it doesn't find it right away? It waits.

When the targeted developer eventually emerges, the Octopus Scanner goes to work on a backdoor, according to Dark Reading:

"The malware continues to spread by infecting NetBeans projects, or JAR files. This way, it backdoors healthy projects so when developers release code to the public, it contains malware. The goal of Octopus Scanner is to insert backdoors into artifacts built by NetBeans so the attacker can use these resources as part of the C2 server."

Interestingly, the nature of the Octopus Scanner also reveals potential information about the nature of the attackers and their goal:

"It is interesting the attackers specifically chose to target the NetBeans build process, especially because it's not the most common Java IDE. This could indicate a targeted attack, or they may have already implemented the malware for build systems like Make, MsBuild, or Gradle, and it could be spreading unnoticed."

Why target supply chain attacks?

Targeted supply chains attacks like the Octopus Scanner are still fairly rare. But their appeal stems from the rising reliance on open source code, according to Waisman.

Open source is easy for developers, meaning it's also easy for adversaries. Attackers are pursuing supply chain compromises because they can have widespread reach: a single attack can give them access to multiple targets.

"The primary issue in supply chain security is unpatched software," he explains. "It's much easier for an attacker to take advantage of an unpatched, known vulnerability in a dependency than to insert a new vulnerability into your code."

As things gradually become easier for developers, they also become easier for cybercriminals.

Which, evidently, makes things harder for cybersecurity.