Russian APT Deploys New ‘Kapeka’ Backdoor in Jap European Assaults

Apr 17, 2024NewsroomRansomware / Cyber Espionage

A beforehand undocumented “flexible” backdoor referred to as Kapeka has been “sporadically” noticed in cyber assaults focusing on Jap Europe, together with Estonia and Ukraine, since at the least mid-2022.

The findings come from Finnish cybersecurity agency WithSecure, which attributed the malware to the Russia-linked superior persistent risk (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is monitoring the identical malware below the identify KnuckleTouch.

“The malware […] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate,” safety researcher Mohammad Kazem Hassan Nejad stated.

Kapeka comes fitted with a dropper that is designed to launch and execute a backdoor element on the contaminated host, after which it removes itself. The dropper can be answerable for establishing persistence for the backdoor both as a scheduled activity or autorun registry, relying on whether or not the method has SYSTEM privileges.

Cybersecurity

Microsoft, in its personal advisory launched in February 2024, described Kapeka as concerned in a number of campaigns distributing ransomware and that it may be used to hold out a wide range of features, resembling stealing credentials and different knowledge, conducting damaging assaults, and granting risk actors distant entry to the system.

The backdoor is a Home windows DLL written in C++ and options an embedded command-and-control (C2) configuration that is used to ascertain contact with an actor-controlled server and holds details about the frequency at which the server must be polled as a way to retrieve instructions.

In addition to masquerading as a Microsoft Phrase add-in to make it seem real, the backdoor DLL gathers details about the compromised host and implements multi-threading to fetch incoming directions, course of them, and exfiltrate the outcomes of the execution to the C2 server.

Russian APT

“The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communication component,” Nejad defined. “The backdoor communicates with its C2 to poll for tasks and to send back fingerprinted information and task results. The backdoor utilizes JSON to send and receive information from its C2.”

The implant can be able to updating its C2 configuration on-the-fly by receiving a brand new model from the C2 server throughout polling. A few of the essential options of the backdoor permit it to learn and write recordsdata from and to disk, launch payloads, execute shell instructions, and even improve and uninstall itself.

The precise technique by means of which the malware is propagated is at present unknown. Nevertheless, Microsoft famous that the dropper is retrieved from compromised web sites utilizing the certutil utility, underscoring the usage of a authentic living-off-the-land binary (LOLBin) to orchestrate the assault.

Cybersecurity

Kapeka’s connections to Sandworm come conceptual and configuration overlaps with beforehand disclosed households like GreyEnergy, a possible successor to the BlackEnergy toolkit, and Status.

“It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022,” WithSecure stated. “It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm’s arsenal.”

“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

Dec 18, 2024Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...

LEAVE A REPLY

Please enter your comment!
Please enter your name here