Cyber Threat Report: 'KAPEKA A novel backdoor spotted in Eastern Europe'

This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe (particularly Ukraine) since mid-2022. It's an early-stage toolkit for operators, providing long-term access to victims' systems. Kapeka is linked by the researchers to the Sandworm group, operated by Russia's GRU, known for destructive attacks in Ukraine. Kapeka was discovered after analyzing artifacts from a Russian APT-linked intrusion set. It's a bespoke tool used in targeted attacks, with no previous variants reported. However analysis by the researchers identified overlap with the 'GreyEnergy' tool, which itself was considered an evolution of the BlackEnergy toolkit used in historic attacks by sandworm. The dropper is a 32-bit executable that sets up the backdoor's persistence and self-deletes. It chooses the appropriate backdoor version based on the victim's processor architecture and uses AES-256 encryption. The backdoor is a DLL masquerading as a Microsoft Word Add-In. It collects information on the victim's machine and user, communicates with C2 servers, and can execute various tasks like reading and writing files, launching processes, and self-upgrading or uninstalling. The report includes technical analysis of the dropper and back door as well as discussing the attribution to Sandworm. MITRE ATT&CK mappings and indicators of compromise (IoCs) are also included as appendices.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Data Loss Prevention

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.