Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers.
The previously unreported backdoor, dubbed 'Kapeka', has a high level of stealth and sophistication, designed to both serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate.
They said the novel backdoor was likely used in intrusions that led to the deployment of Prestige ransomware in late 2022, which targeted transportation and logistics industries in Ukraine and Poland.
The technical analysis of Kapeka is designed to raise awareness amongst businesses, governments and the broader security community of the threat it poses.
In findings corroborated with Microsoft, WithSecure believes Kapeka is being used as a bespoke tool by Sandworm as part of wider espionage campaigns to support intelligence collection for the Russian state.
The Sandworm group is operated by Russia's military intelligence service, the GRU, and is known to support the wider strategic objectives and changing intelligence requirements of the Russian state.
WithSecure cited several reasons why it assesses Kapeka is being used by Sandworm.
Numerous overlaps between Kapeka and GreyEnergy, a modular backdoor thought to be part of Sandworm's arsenal.
The level of stealth and sophistication also indicate advanced APT activity, highly likely of Russian origin.
Based on victimology, the backdoor was likely used in campaigns specifically targeting victims in Eastern Europe.
Kapeka contains a dropper that will drop and launch a backdoor on a victim's machine and then remove itself.
The backdoor first collects information and fingerprints both the machine and user before sending the details on to the threat actor, allowing tasks to be passed back to the machine or the backdoor's configuration to be updated.
This functionality essentially makes the backdoor modular by allowing additional modules to be dropped and executed.
As with GreyEnergy, Kapeka is a DLL file with a masqueraded extension to make it appear legitimate.
Both backdoors use a similar custom algorithm to structure data that's sent to their command and control infrastructure.
There are also several differences between Kapeka and GreyEnergy.
GreyEnergy utilizes WMI to fingerprint the victim, while Kapeka utilizes Windows API and registry.
Kapeka persists its C2 configuration via registry, while GreyEnergy does so via a file on-disk.
While Kapeka and its dopper contain capabilities to remove all traces of compromise, WithSecure identified several infection artifacts and developed several scripts to aid with analysis and detection.
The researchers said they will continue to monitor the use of Kapeka.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Wed, 17 Apr 2024 07:05:09 +0000