Researchers at WithSecure have recently identified a new backdoor malware named Kapeka [4], which has been targeting organizations in Ukraine and Eastern Europe since mid-2022.
Description
This sophisticated malware is believed to be associated with the Russian nation-state group Sandworm, known for cyberattacks against Ukraine and potentially linked to Russian military intelligence hackers. Kapeka has been used in espionage campaigns, particularly since the Russia-Ukraine war [4], and shares similarities with the Sandworm malware GreyEnergy. It has also been utilized in ransomware attacks, with a variant known as Prestige, specifically targeting the transportation and logistics industries in Ukraine and Poland [2]. WithSecure [1] [2] [4] [5], in collaboration with Microsoft [2], suspects that Kapeka is being used by Sandworm for intelligence collection and potential sabotage operations [2]. The backdoor [1] [2] [3] [4] [5], functioning as a 32-bit and 64-bit Windows executable [3], is capable of collecting information, fingerprinting machines and users [2], and executing custom payloads for long-term access to victims’ systems. It maintains its command and control configuration through the Windows registry and utilizes the Windows API for fingerprinting [2]. WithSecure last observed Kapeka in May 2023 [4], indicating careful usage by an advanced persistent actor [4]. WithSecure is actively monitoring the use of Kapeka and is developing detection scripts to aid in analysis [2]. The full research paper on Kapeka is available at https://labs.withsecure.com/publications/kapeka [4].
Conclusion
The discovery of Kapeka poses significant risks to organizations in Ukraine and Eastern Europe, particularly in the transportation and logistics sectors. It is crucial for these organizations to implement robust cybersecurity measures to detect and mitigate the threat posed by this malware. Furthermore, the ongoing monitoring and analysis of Kapeka by WithSecure will provide valuable insights into the tactics and techniques employed by advanced persistent threat actors, helping to enhance cybersecurity defenses in the future.
References
[1] https://cyberpress.org/sophisticated-kapeka-backdoor-attack-victims-in-europe/
[2] https://www.infosecurity-magazine.com/news/russian-sandworm-backdoor-ukraine/
[3] https://www.bankinfosecurity.com/likely-sandworm-hackers-using-novel-backdoor-kapeka-a-24878
[4] https://www.withsecure.com/en/whats-new/pressroom/withsecure-uncovers-kapeka-a-new-malware-with-links-to-russian-nation-state-threat-group-sandworm
[5] https://labs.withsecure.com/publications/kapeka