Matryoshka Malware from CopyKittens Group

December 15, 2015  |  Garrett Gross

A dangerous weapon in the hands of a skilled attacker is alarming but that same weapon in the hands of a novice can be terrifying. Lately, we have started to see activity from a group in the Middle East who, rather than write their own code, seem to be taking bits and pieces from existing malware to develop their own attack toolset. As a result, this group has been referred to as ‘CopyKittens’. Researchers at Minerva and ClearSky have dubbed this malware “Matryoshka” due to its multi-stage framework.

Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.

The real threat that the Matryoshka malware (as well as the CopyKittens group) demonstrates is how easy it is for anyone to build (or assemble) his or her own deadly electronic weapons. While threat actors in the past had to possess real skill in crafting their attack methods, today’s ‘copy cat’ criminals only need the desire to do evil [GG1] (as well as a network connection) to wreak havoc.

Impact on you

  • A RAT on your network means that an attacker could have complete control of your machine, able to steal locally stored data, hijack browser sessions (and therefore credentials), etc.
  • With the traditionally specialized skill of malware authoring available to any one who searches hard enough, the number of these types of attacks will only increase in the future.
  • Malware such as Matryoshka that is able to hide itself in your environment and then download/deploy additional software leaves the door open (literally) for future attacks.

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then analyzing it to extrapolate expert threat intelligence. The Labs team has already released IDS signatures and correlation rule updates to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:

  • System Compromise, Trojan infection, Matryoshka
  • System Compromise, C&C Communication, CopyKittens Activity

For further investigation into the CopyKitten APT group or the Matryoshka malware, visit the Open Threat Exchange (OTX) to see what research members of the community have done:


Share this with others

Featured resources



2024 Futures Report

Get price Free trial