Experts detailed the new Operation Wilted Tulip campaign of the CopyKittens APT

“CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with
similar functionality.  The group often uses the trial version of Cobalt Strike3 , a publicly available commercial software for “Adversary Simulations and Red Team Operations.” states the report .

“Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine;
Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap.”

The hackers used both spear phishing attacks and watering holes to compromise target systems.

CopyKittens compromised websites of media outlets and organizations to deliver its malware. Among the websites compromised by hackers to conduct watering hole attacks, there is The Jerusalem Post, the Maariv news and IDF Disabled Veterans Organization.

Below the full list of methods used by CopyKittens in its campaigns.

• Watering hole attacks – inserting malicious JavaScript code into breached strategic websites.
• Web based exploitation – emailing links to websites built by the attackers and containing known exploits.
• Malicious documents – email attachments containing weaponized Microsoft Office documents.
• Fake social media entities – fake personal and organizational Facebook pages are used for interaction with targets and for information gathering.
• Web hacking – Havij, Acuntix and sqlmap are used to detect and exploit internet-facing web servers.

The hackers used multiple tools and malware to infect targets, they used both custom malicious codes and commercial solutions like Cobalt Strike.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – CopyKittens, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]