Threat Report: What is the Matryoshka Malware and How Does it Work?

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. 

Matryoshka Malware Capabilities:

Matryoshka may attempt to evade detection and analysis by encrypting, encoding, or otherwise obfuscating its contents. It may also abuse command and script interpreters to execute commands, scripts, or binaries. Additionally, Matryoshka may take screen captures and log user keystrokes to intercept credentials. Finally, it may search for common password storage locations to obtain user credentials.

• Matryoshka may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Matryoshka may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Matryoshka may communicate using the Domain Name System application layer protocol to avoid detection/network filtering by blending in with existing traffic.
• The Matryoshka malware may use DLL injection to evade process-based defenses and elevate privileges. It may also take screenshots and abuse the Windows Task Scheduler to execute malicious code.
• Matryoshka is a malware that may use rundll32.exe to proxy execution of malicious code and may log user keystrokes to intercept credentials. It may also search for common password storage locations to obtain user credentials.

Ways to Mitigate Matryoshka Malware Attacks

• The Matryoshka malware attack can be mitigated by detecting the file obfuscation process, capturing command-line and scripting activities, and analyzing network data for unusual data flows.
• The Matryoshka malware attack can be mitigated by monitoring for screen capture behavior, process execution from svchost.exe, and scheduled tasks in the Windows Task Scheduler.
• The Matryoshka malware attack can be mitigated by monitoring process execution, the Registry, and file system for changes, and by looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.