S0167 Matryoshka

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. ¹ ²

Item	Value
ID	S0167
Associated Names
Type	MALWARE
Version	2.0
Created	16 January 2018
Last Modified	23 April 2021
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.004	DNS	Matryoshka uses DNS for C2.¹²
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	Matryoshka can establish persistence by adding Registry Run keys.¹²
enterprise	T1059	Command and Scripting Interpreter	Matryoshka is capable of providing Meterpreter shell access.¹
enterprise	T1555	Credentials from Password Stores	Matryoshka is capable of stealing Outlook passwords.¹²
enterprise	T1056	Input Capture	-
enterprise	T1056.001	Keylogging	Matryoshka is capable of keylogging.¹²
enterprise	T1027	Obfuscated Files or Information	Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.²
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.²
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	Matryoshka can establish persistence by adding a Scheduled Task named “Microsoft Boost Kernel Optimization”.¹²
enterprise	T1113	Screen Capture	Matryoshka is capable of performing screen captures.¹²
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.011	Rundll32	Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.²

Groups That Use This Software

ID	Name	References
G0052	CopyKittens	¹

S0167 Matryoshka

Techniques Used

Groups That Use This Software

References