Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Likely Sandworm Hackers Using Novel Backdoor Kapeka

Kapeka Shows Similarities With Russian GRU Hacking Group's GreyEnergy Malware
Likely Sandworm Hackers Using Novel Backdoor Kapeka
WithSecure researchers uncovered a novel backdoor named "little stork" in Russian, likely coded by Russian military intelligence. (Image: Shutterstock)

Likely Russian military intelligence hackers known as Sandworm have deployed a new and highly flexible back door against Eastern European targets since at least mid-2022, warned security researchers.

See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Security firm WithSecure said the backdoor, which it dubbed Kapeka, shows overlaps with known Sandworm malware GreyEnergy and the group's malicious encryption attacks in 2022 made with a ransomware variant called Prestige.

Researchers discovered Kapeka - it means "little stork" in Russian - in mid-2023 while investigating an unknown backdoor detected in an Estonian logistics company. The company assessed that hackers installed the backdoor in 2022.

"The backdoor's victimology, infrequent sightings and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin," WithSecure said. Microsoft has also detected the malware. The form tracks it as KnuckleTouch1 and in a February blog post attributes it to Sandworm, which Redmond tracks as Seashell Blizzard.

Although it ranks among the global heavyweights of intelligence agency hacking teams, Sandworm is known for its caution in deploying bespoke malware in a desire to overexpose expensively custom-coded applications to detect and countermeasures. "Kapeka's infrequent sightings can be a testament for its meticulous usage by an advanced persistent actor (APT) in operations that span over years, such as the Russia-Ukraine conflict," the WithSecure report says.

The Kapeka backdoor operates as a 32-bit and 64-bit Windows executable, responsible for dropping, executing and establishing persistence. Like GreyEnergy, Kapeka consists of a dropper component that has the main backdoor embedded into it. Both applications create a folder called Microsoft in the file system directory containing application data for all users - if the victim has admin privileges - or in the file system directory for local applications. "Both backdoor DLLs are exported and called by the first ordinal (#1) via rundll32. This is an uncommon yet not unique method of exporting DLLs," the report says. Both also generate an encryption key that's also similar in length.

"It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm's arsenal," WithSecure said.

Kapeka's deployment coincided with reported instances of Prestige ransomware attacks in Poland and Ukraine in fall 2022 - incidents that Microsoft attributed to Sandworm (see: Microsoft Warns of Growing Russian Digital Threats to Europe).

Kapeka "was likely used in intrusions that led to the deployment of Prestige ransomware in late 2022," WithSecure said.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.