CopyKittens Attack Group by Minerva Labs & ClearSky Cyber Security

February 16, 2016
Version 1.0 – 23/11/2015
All Rights Reserved To Minerva Labs LTD and ClearSky Cyber Security, 2015

Executive Summary

The Middle East has been a cyber warfare hotspot for almost a decade now, a theatre for some of the most advanced threats the world has ever witnessed. In between those highly advanced attacks, more and more attackers possessing only a basic set of skills started to pop up – spreading well known RATs, obfuscated with generic publicly-available packers.

This report focuses on the CopyKittens, a mid-level group.

The CopyKittens attacks are effective and advanced in a few ways:

  • Infecting of computers is performed in multi-stage, stealthy method

  • Data exfiltration is performed over DNS protocol

  • They avoid using known RATs and packers, tools are "homemade"

  • Constant development is performed to overcome security products improvements

Yet, this group is clearly not made up of dozens of high-end computer and security experts. The CopyKittens assembled major parts of their attack from code snippets carefully picked from public repositories and online forums, hence their nickname. We also named their attack tool "Matryoshka"1 due to the fact that it was written as a multi-stage framework, with each part of it built to integrate its subsequent step.

We have had only....

Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023