Octopus Scanner

The Octopus Scanner is a new piece of malware that cybersecurity experts have found in several public GitHub projects that were created with the use of the Apache NetBeans IDE (Integrated Development Environment). Upon further research, experts noticed that the Octopus Scanner had modules dedicated to searching the infected host for accessible Apache NetBeans IDE projects, and then injecting its corrupted code inside of them. This way, the malware could spread silently while its victims are trying to share their development projects with the world. However, this is not all that the Octopus Scanner does – ultimately, its goal is to deploy a JAVA-based Remote Access Trojan to the infected system, and allow the remote attacker to take control over the compromised host.

The first samples of the Octopus Scanner date back to August 2018, and it is not clear if there are more active copies of the Octopus Scanner in the wild – so far, only 26 GitHub repositories have been found to include the corrupted code.

The Octopus Scanner Spreads by Planting Its Code in Apache NetBeans IDE JAVA Projects

The peculiar infection vector that the Octopus Scanner uses limits its reach significantly. However, it also gives it one major advantage – the malware is likely only to run on devices that are used for software development. If the criminals manage to penetrate the security of a large software development company, they may use the Octopus Scanner implant to collect confidential projects, documents and source code. Furthermore, they could opt to launch an even more aggressive attack by planting backdoors or other malware in the company's software products.

The Apache NetBeans IDE is not the most popular piece of software used for managing JAVA projects, certainly, so it is surprising that the attackers have targeted it in particular. So far, there has been no indication that versions of the Octopus Scanner can infect the projects of other IDEs.