Russian APT Deploys New ‘Kapeka’ Backdoor in Eastern European Attacks
A previously undocumented “flexible” backdoor called Kapeka has been “sporadically” observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch.
“The malware […] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate,” security researcher Mohammad Kazem Hassan Nejad said.
Kapeka comes fitted with a dropper that’s designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a scheduled task or autorun registry, depending on whether the process has SYSTEM privileges.
Microsoft, in its own advisory released in February 2024, described Kapeka as involved in multiple campaigns distributing ransomware and that it can be used to carry out a variety of functions, such as stealing credentials and other data, conducting destructive attacks, and granting threat actors remote access to the device.
The backdoor is a Windows DLL written in C++ and features an embedded command-and-control (C2) configuration that’s used to establish contact with an actor-controlled server and holds information about the frequency at which the server needs to be polled in order to retrieve commands.
Besides masquerading as a Microsoft Word add-in to make it appear genuine, the backdoor DLL gathers information about the compromised host and implements multi-threading to fetch incoming instructions, process them, and exfiltrate the results of the execution to the C2 server.
“The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communication component,” Nejad explained. “The backdoor communicates with its C2 to poll for tasks and to send back fingerprinted information and task results. The backdoor utilizes JSON to send and receive information from its C2.”
The implant is also capable of updating its C2 configuration on-the-fly by receiving a new version from the C2 server during polling. Some of the main features of the backdoor allow it to read and write files from and to disk, launch payloads, execute shell commands, and even upgrade and uninstall itself.
The exact method through which the malware is propagated is currently unknown. However, Microsoft noted that the dropper is retrieved from compromised websites using the certutil utility, underscoring the use of a legitimate living-off-the-land binary (LOLBin) to orchestrate the attack.
Kapeka’s connections to Sandworm come conceptual and configuration overlaps with previously disclosed families like GreyEnergy, a likely successor to the BlackEnergy toolkit, and Prestige.
“It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022,” WithSecure said. “It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm’s arsenal.”
“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin.”