Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Matryoshka is capable of stealing Outlook passwords.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Matryoshka can establish persistence by adding Registry Run keys.[1][2] |
| Enterprise | T1059 | 命令与脚本解释器 |
Matryoshka is capable of providing Meterpreter shell access.[1] |
|
| Enterprise | T1113 | 屏幕捕获 |
Matryoshka is capable of performing screen captures.[1][2] |
|
| Enterprise | T1071 | .004 | 应用层协议: DNS |
Matryoshka uses DNS for C2.[1][2] |
| Enterprise | T1027 | 混淆文件或信息 |
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[2] |
|
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[2] |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Matryoshka is capable of keylogging.[1][2] |
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.[2] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Matryoshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".[1][2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0052 | CopyKittens |