Executive summary
- WithSecure has uncovered a novel backdoor that has been used in
attacks against victims in Eastern Europe since at least mid-2022. - The malware, which we are calling “Kapeka”, is a flexible backdoor with
all the necessary functionalities to serve as an early-stage toolkit for its
operators, and also to provide long-term access to the victim estate. - The malware’s victimology, infrequent sightings, and level of stealth
and sophistication indicate APT-level activity. - WithSecure discovered overlaps between Kapeka, GreyEnergy, and
Prestige ransomware attacks which are all reportedly linked to a group
known as Sandworm. WithSecure assesses it is likely that Kapeka is a
new addition to Sandworm’s arsenal. Sandworm is a prolific Russian
nation-state threat group operated by the Main Directorate of the
General Staff of the Armed Forces of the Russian Federation (GRU).
Sandworm is particularly notorious for its destructive attacks against
Ukraine in pursuit of Russian interests in the region. - Kapeka contains a dropper that will drop and launch a backdoor on a
victim’s machine and then remove itself. The backdoor will first collect
information and fingerprint both the machine and user before sending
the details on to the threat actor. This allows tasks to be passed back to
the machine or the backdoor’s configuration to be updated. WithSecure
do not have insight as to how the Kapeka backdoor is propagated by
Sandworm. - Kapeka’s development and deployment likely follow the ongoing
Russia-Ukraine conflict, with Kapeka being likely used in targeted
attacks of firms across Central and Eastern Europe since the illegal
invasion of Ukraine in 2022. - It is likely that Kapeka was used in intrusions that led to the deployment
of Prestige ransomware in late 2022. - It is probable that Kapeka is a successor to GreyEnergy, which itself
was likely a replacement for BlackEnergy in Sandworm’s arsenal
Technical Analysis, MITRE ATT&CK Mapping, Indicators of compromise (IOCs),
download PDF bellow :
https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf