CopyKittens is an espionage group that has been attacking Israeli targets since at least August 2014. Among the targets are high ranking diplomats at Israel’s Ministry of Foreign Affairs and well-known Israeli academic researchers specializing in Middle East Studies.
Matryoshka is the name we gave the malware built by CopyKittens. It is a multi-stage framework, with each part integrates into the subsequent one. CopyKittens assembled Matryoshka from code snippets picked from public repositories and online forums, hence their nickname.
Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable, or an embedded executable the victim is asked to open.
DNS requests and answers are used for command and control communication and for data exfiltration.
Based on the type of targets, delivery, and malware used – we estimate that CopyKittens are a state actor or are endorsed by one.
This report was produced by Minerva labs and ClearSky.
Read the full report: The CopyKittens attack group.