The favored multi-staged attack tool of the CopyKittens, a mid-level group with suspected ties to the Iranian government. While not a group formed by high-end computer and security experts, their code is carefully picked from public repositories and online forums. They are effective and advanced in a few notable ways:
• Attack methods are stealthy, multi-staged
• Data exfiltration is performed over DNS protocol
• Tools are "homemade"
• Constant development of tools helps evade anti-malware detection
MATRYOSHKA was written as a multi-stage framework, with each part of it built to implement its subsequent step.
Anatomy of an Attack:
1. Spear Phishing
Attacks are initiated by sending an infected document file as an email attachment. The attached Microsoft Word document contains the first link in the attack chain: a maliciously crafted OLE binary object.
2. Deployment of Matryoshka, the three part attack framework:
• Obfuscated code evades anti-malware tools
• Signals to command and control (C2) that the dropper payload was executed
• Launches the loader to execute functions on the compromised system
• Scans compromised system for analysis, forensics and detection tools, reports back to C2
• Employs anti-debugging and anti-sandboxing techniques before executing
• Abuses Runtime API Address resolver for code injection
• Covert DLL injection of Remote Access Trojan (RAT) libraries
• Creates a Persistence file on disk
Remote Access Trojan (RAT) component
• Configuration of the Reflective Loader to survive reboots and process exits
• DNS Command and Control communication
• Common RAT functionalities—key logging, credential harvesting, data exfiltration...
Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).