Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Matryoshka uses DNS for C2.[1][2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Matryoshka can establish persistence by adding Registry Run keys.[1][2] |
| Enterprise | T1059 | Command and Scripting Interpreter |
Matryoshka is capable of providing Meterpreter shell access.[1] |
|
| Enterprise | T1555 | Credentials from Password Stores |
Matryoshka is capable of stealing Outlook passwords.[1][2] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Matryoshka is capable of keylogging.[1][2] |
| Enterprise | T1027 | Obfuscated Files or Information |
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[2] |
|
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.[2] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Matryoshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".[1][2] |
| Enterprise | T1113 | Screen Capture |
Matryoshka is capable of performing screen captures.[1][2] |
|
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0052 | CopyKittens |