Matroyshka

Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]

ID: S0167
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceMatroyshka is capable of providing Meterpreter shell access.[1]
EnterpriseT1003Credential DumpingMatroyshka is capable of stealing Outlook passwords.[1][2]
EnterpriseT1056Input CaptureMatroyshka is capable of keylogging.[1][2]
EnterpriseT1027Obfuscated Files or InformationMatroyshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[2]
EnterpriseT1055Process InjectionMatroyshka uses reflective DLL injection to inject the malicious library and execute the RAT.[2]
EnterpriseT1060Registry Run Keys / Startup FolderMatroyshka can establish persistence by adding Registry Run keys.[1][2]
EnterpriseT1085Rundll32Matroyshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[2]
EnterpriseT1053Scheduled TaskMatroyshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".[1][2]
EnterpriseT1113Screen CaptureMatroyshka is capable of performing screen captures.[1][2]
EnterpriseT1071Standard Application Layer ProtocolMatroyshka uses DNS for C2.[1][2]

References