Open Vault

DANDERSPRITZ ScRe Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/danderspritz-scre

The design is made by visualizing a section of code from the DANDERSPRITZ post-exploitation framework attributed to the Equation Group (NSA). The code was developed by the NSA and leaked by the Shadow Brokers in 2017.

DANDERSPRITZ is advanced, state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

VPNFILTER Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/vpnfilter The design is made by visualizing a section of code from the VPNFILTER advanced multi-stage modular malware created by the APT28 threat actor. VPNFILTER is advanced, state-sponsored malware that targets internet connected routers and networked storage devices common in small office and home networks. It was developed by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

CARBON Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/carbon

The design is made by visualizing a section of code from the CARBON attack framework used by the Turla Group.

CARBON is advanced, state-sponsored malware used for espionage an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

MATRYOSHKA Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/matryoshka

The design is made by visualizing a section of code from the MATRYOSHKA cyber weapon used by the CopyKittens Group.

MATRYOSHKA is state-sponsored malware used for espionage by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

DANDERSPRITZ dksy Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/danderspritz-dksy

The design is made by visualizing a section of code from the DANDERSPRITZ post-exploitation framework attributed to the Equation Group (NSA). The code was developed by the NSA and leaked by the Shadow Brokers in 2017.

DANDERSPRITZ is advanced, state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

TRITON Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/triton

The design is made by visualizing a section of code from the TRITON attack framework used by the XENOTIME Group.

TRITON is advanced, state-sponsored malware that targets industrial control systems (ICS), developed by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

Ever wonder what you can do to avoid getting hacked? Get some expert tips by attending this workshop by David Huerta (Freedom of the Press Foundation).

REGISTER TODAY!

Date and Time

Fri, October 11, 2019 6:00 PM – 10:00 PM EDT

Location

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the VPNFILTER advanced multi-stage modular malware created by the APT28 threat actor.

VPNFILTER is advanced, state-sponsored malware that targets internet connected routers and networked storage devices common in small office and home networks. It was developed by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the DANDERSPRITZ post-exploitation framework attributed to the Equation Group (NSA). The code was developed by the NSA and leaked by the Shadow Brokers in 2017.

DANDERSPRITZ is advanced, state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the DANDERSPRITZ post-exploitation framework attributed to the Equation Group (NSA). The code was developed by the NSA and leaked by the Shadow Brokers in 2017.

DANDERSPRITZ is advanced, state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the TRITON attack framework used by the XENOTIME Group.

TRITON is advanced, state-sponsored malware that targets industrial control systems (ICS), developed by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the MATRYOSHKA cyber weapon used by the CopyKittens Group.

MATRYOSHKA is state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

100% Cotton woven in the USA by Pure Country Weavers

Machine Washable Cold, Tumble Dry Low

51”x72”

For the great indoors: bedroom, living room, lounge, etc.

For the great outdoors: camping, picnics, beach, etc.

The design is made by visualizing a section of code from the CARBON attack framework used by the Turla Group.

CARBON is advanced, state-sponsored malware used for espionage by what the industry calls an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

WHAT: Open Vault: Advanced Persistent Threats Volume 1 Pop-up Launch Party WHERE: 325 Canal Street, New York, 10013 WHEN: OCT 7th,2019 - 6:30pm - 10:30pm

Join us to celebrate the grand opening of the Open Vault: Advanced Persistent Threats Volume 1 Pop-up on 325 Canal Street, part of WallPlay’s ON CANAL project.

Musical stylings by Kate Machtiger Beverages served

TAJ MAHAL

Taj Mahal is a previously unknown and technically sophisticated Advanced Persistent Threat (APT) espionage framework, developed by a nation-state, discovered by Kaspersky Lab in the autumn of 2018. This multi-stage framework has two stages, 'Tokyo' and 'Yokohama', and is believed to have been in use for 5 years without detection. Only one known victim has been documented, a diplomatic entity from an undisclosed Central Asian country.

The second stage includes roughly 80 different modules with various capabilities including: backdoors, loaders, orchestrators, Command and Control (C2) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptography key stealers, and file indexer for the victim’s machine.

Included Components

WatchPoints Document stealer, C2 communication and command processor LocalInfo Performs system reconnaissance, outputs to file titled “TAJ MAHAL” AudioRecorder Captures audio from microphone, Windows COM, VOIP and Windows Metro applications Orchestrator Update/install/uninstall, selects target processes and loads plugins Reinstaller/Injector SuicideWatcher Cleanly removes the framework after a designated time IM-Stealer Steals conversation content from chat windows of instant messaging applications Indexer Indexes files on victim drives, user profiles, removable drives Thumbnailer Makes and prepares to send thumbnails of found picture files Keylogger Keystroke logger & clipboard monitor DocumentStealer Steals printed documents from spooler queue EgressSender Sends files from output queue to C2 ClientRecon Daily stateful scan of the compromised machine, sends system changes to C2 Screenshoter Takes periodic low-resolution screenshots DocumentStealer Steal documents from fixed and removable drives and written CD images WebcamSnapshot Periodically takes webcamera snapshots

Source:

MATRYOSHKA

The favored multi-staged attack tool of the CopyKittens, a mid-level group with suspected ties to the Iranian government. While not a group formed by high-end computer and security experts, their code is carefully picked from public repositories and online forums. They are effective and advanced in a few notable ways:

• Attack methods are stealthy, multi-staged

• Data exfiltration is performed over DNS protocol

• Tools are "homemade"

• Constant development of tools helps evade anti-malware detection

MATRYOSHKA was written as a multi-stage framework, with each part of it built to implement its subsequent step.

Anatomy of an Attack:

1. Spear Phishing

Attacks are initiated by sending an infected document file as an email attachment. The attached Microsoft Word document contains the first link in the attack chain: a maliciously crafted OLE binary object.

2. Deployment of Matryoshka, the three part attack framework:

Dropper

• Obfuscated code evades anti-malware tools

• Signals to command and control (C2) that the dropper payload was executed

• Launches the loader to execute functions on the compromised system

• Scans compromised system for analysis, forensics and detection tools, reports back to C2

Reflective Loader

• Employs anti-debugging and anti-sandboxing techniques before executing

• Abuses Runtime API Address resolver for code injection

• Covert DLL injection of Remote Access Trojan (RAT) libraries

• Creates a Persistence file on disk

Remote Access Trojan (RAT) component

• Configuration of the Reflective Loader to survive reboots and process exits

• DNS Command and Control communication

• Common RAT functionalities—key logging, credential harvesting, data exfiltration...

Sources:

https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group