{"id":10405,"date":"2024-04-17T10:36:00","date_gmt":"2024-04-17T09:36:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/kapeka\/"},"modified":"2024-04-17T10:36:00","modified_gmt":"2024-04-17T09:36:00","slug":"kapeka","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/kapeka\/","title":{"rendered":"Kapeka"},"content":{"rendered":"\n
\n
\n

\n Kapeka: A novel backdoor spotted in Eastern Europe<\/span><\/h1>
\n
\n \n \n Attack Detection <\/span>\n \n Software Protection <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 17 avril, 2024 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Partager cette information <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \"\" <\/div>\n
\n

Mohammad Kazem Hassan Nejad<\/h3>\n \n

\n Senior Threat Intelligence Researcher, WithSecure <\/p>\n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n

\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

WithSecure has uncovered a novel backdoor that has been used in attacks against victims in Eastern Europe since at least mid-2022.<\/h2>\n

The malware, which we are calling \u00ab\u00a0Kapeka\u00a0\u00bb, is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate. The malware’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity.<\/p>\n

WithSecure discovered overlaps between Kapeka, GreyEnergy, and Prestige ransomware attacks which are all reportedly linked to a group known as Sandworm. WithSecure assesses it is likely that Kapeka is a new addition to Sandworm\u2019s arsenal. Sandworm is a prolific Russian nation-state threat group operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Sandworm is particularly notorious for its destructive attacks against Ukraine in pursuit of Russian interests in the region.<\/p>\n

Kapeka contains a dropper that will drop and launch a backdoor on a victim\u2019s machine and then remove itself. The backdoor will first collect information and fingerprint both the machine and user before sending the details on to the threat actor. This allows tasks to be passed back to the machine or the backdoor\u2019s configuration to be updated. WithSecure do not have insight as to how the Kapeka backdoor is propagated by Sandworm.<\/p>\n

Kapeka\u2019s development and deployment likely follow the ongoing Russia-Ukraine conflict, with Kapeka being likely used in targeted attacks of firms across Central and Eastern Europe since the illegal invasion of Ukraine in 2022.<\/p>\n

It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022. It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm\u2019s arsenal.<\/p>\n

This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor\u2019s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping.<\/p>\n

23.04.2024 – Design and formatting of the report have been updated. Figure 37 has been updated as well to more clearly represent our understanding of the links between events.<\/i><\/p>\n<\/div>\n

\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n

\n En savoir plus<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n En savoir plus<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n En savoir plus<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

The malware, which we are calling \u00ab\u00a0Kapeka\u00a0\u00bb, is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,307,308],"labs_content_type":[375],"class_list":["post-10405","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-software-protection","category-threat-intelligence"],"acf":[],"card":"

\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Kapeka<\/h3>\n

The malware, which we are calling "Kapeka", is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate.<\/p>\n

\n En savoir plus<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10405"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}