Kapeka, also known as KnuckleTouch, is a sophisticated backdoor malware that has been making waves in the cybersecurity world.
Initially appearing in mid-2022, it wasn’t until 2024 that Kapeka was formally tracked due to its involvement in limited-scope attacks, particularly in Eastern Europe.
The Sandstorm Connection Kapeka is linked to the Sandstorm Group, operated by Russia’s Military Unit 74455, known for its disruptive cyber activities.
This group, also referred to as Sandworm, has a history of targeting Ukraine’s critical infrastructure amidst geopolitical tensions.
Kapeka exhibits a range of advanced functionalities, including initialization, command-and-control (C2) communication, task execution, and persistence mechanisms.
Kapeka utilizes a dropper malware to initiate the infection process.
This dropper deploys the actual backdoor file (a Windows DLL) disguised as a “.wll” file and positions it within system directories like “ProgramData” or “AppData.”
To ensure continuous operation, Kapeka employs multiple persistence mechanisms:
- Autorun Registry: Modification alters the autorun registry key to execute the backdoor file upon system startup.
- Scheduled Tasks: It creates a scheduled task using “schtasks.exe” to achieve persistence, especially if the initial method fails due to privilege limitations.
- Batch File Removal: A batch file is dropped to eliminate the original dropper after successful backdoor deployment.
C2 Communication and Functionality Highlights
Kapeka communicates with its command-and-control (C2) server using the WinHttp API, exchanging data in JSON format.
The C2 configuration is encrypted with AES-256 for enhanced security.
Here’s a breakdown of Kapeka’s key functionalities:
- Initialization and Fingerprinting: It gathers information about the victim’s system (operating system details, usernames, machine/domain names) through system calls and registry searches. This data is then converted to JSON for transmission.
Task Execution: Based on C2 server commands, Kapeka can perform various actions on the compromised system, including:
- Self-uninstallation
- Downloading files from the C2 server
- Uploading files to the C2 server
- Executing commands or launching new processes
- Updating itself with a newer version
- Running shell commands
These features pose significant challenges to detection and underline the backdoor’s advanced capabilities.
Post Investigation, LOGPOINT recommends organizations leverage security tools like SIEM (Security Information and Event Management) solutions to detect suspicious activities.
Here are some potential indicators of compromise (IOCs) to look for:
- Registry key modifications related to autorun entries containing suspicious file paths (e.g.,”AppData\Local\Microsoft\jagyg.wll”)
- Scheduled tasks with unusual names like “Sens Api” referencing specific commands.
- Processes associated with “rundll32.exe” executing “.wll” files located in non-standard directories.
Source: https://bit.ly/3uS5LZ2