Kapeka is a new backdoor that may be a new addition to Russia-linked Sandworm’s malware arsenal and is possibly a backdoor successor to GreyEnergy.
Kapeka
There is currently almost zero public knowledge of the Kapeka backdoor beyond a brief description from Microsoft published on February 14, 2024 concerning the discovery of a new backdoor it calls KnuckleTouch. Microsoft attributes the KnuckleTouch backdoor to SeaShell Blizzard, which is its name for Sandworm. There is no Microsoft analysis of this malware, but WithSecure is confident that KnuckleTouch is Kapeka.
In its own analysis, security firm WithSecure believes Kapeka is the tool of an APT (nation-state group). It is not yet sufficiently confident that the group is Sandworm, but has found numerous overlaps between Kapeka and GreyEnergy sufficient to make this a strong possibility.
Both operate similarly – a dropper component with the backdoor contained within it. Both Kapeka and GreyEnergy (the ‘mini’ version) are DLL files with a masqueraded extension to make them appear legitimate; both DLLs are exported and called by the first ordinal (#1) via rundll32. Both backdoors use a similar custom algorithm to structure data that is sent to their C2.
There are more similarities, but also some differences – which explain WithSecure’s current reluctance to categorically attribute the backdoor to Sandworm.
Microsoft and WithSecure believe the malware has been in use since 2022, yet apart from the WithSecure analysis, very little is known about Kapeka. WithSecure has so far found only two samples in the wild. The victimology, given current geopolitics, also suggests a Russian origin: Estonia and Ukraine. This limited telemetry could be because the malware is not yet in widespread use, or it could be down to Kapeka’s concerted efforts to remain stealthy.
If the backdoor is successfully dropped, the dropper is removed. If the backdoor fails to communicate with the C2 within a specified time, it removes itself. If the operators believe they have been discovered, they can instruct the backdoor to remove itself. If the final payload is destructive, evidence of Kapeka’s involvement will also be destroyed.
However, despite the limited reporting on Kapeka, WithSecure has discovered numerous incidents that might have involved its use. In particular, there seems to be a relationship with the Prestige ransomware that Microsoft has attributed to Sandworm. The victimology of Prestige and the Kapeka samples discovered by WithSecure also overlap.
There are two primary potential uses for Kapeka. Firstly, if it is successfully delivered, its stealth and persistence mechanisms could lead to long-term cyberespionage. The recent incident with Microsoft indicating a continuing difficulty to fully expel Russian government-backed intruders from its systems demonstrates how dangerous such persistence can become.
Secondly, Kapeka could be used to deliver malware payloads. Given Sandworm’s history and political allegiance, this could be ransomware or wipers. Russian delivered wipers are likely to be concentrated in Ukraine since Russia and Ukraine are already at war. Use of wipers outside of Ukraine is more likely to lead to an all-out cyberwar between the West and the East, and is currently likely to be avoided. This may change as and if East/West tensions further increase.
Cyberespionage and ransomware delivered by Sandworm fall below the threshold of cyberwar but will nevertheless most likely be focused against Russia’s political adversaries: that is, primarily the Five Eyes nations, NATO, and the EU.
“One of the hypotheses we put forward in our report,” Mohammad Nejad, WithSecure researcher and author of the report, told SecurityWeek, “is that Kapeka may be one of the latest additions to Sandworm’s arsenal, and that it might be used for espionage operations that could later become sabotage or destructive operations. We found this with the Prestige ransomware attacks – the victims had been compromised earlier on.”
He continued, “The early compromise by Sandworm could be for more strategic objectives like collecting intelligence for the Russian state, that could later turn into a more destructive attack. Kapeka can uninstall itself if it has compromised the wrong target. This level of sophistication and stealth could indicate that it is developed by a nation-state actor that is interested in long term espionage and possibly short term destruction, but also with the ability to remove itself entirely and eliminate its fingerprints if necessary.”
Sandworm
Sandworm is a prolific and aggressive Russian state-affiliated cyber group. See the footnote for a list of all the other names that have been applied to Sandworm.
It has been active since at least 2009. In October 2020, the DOJ indicted six Russian hackers, all officers within the Russian Main Intelligence Directorate (GRU Unit 74455), for their part in Sandworm operations. The DOJ cited attacks against Ukrainian government and critical infrastructure (2015 and 2016), the French elections (2017), the NotPetya attack, the PyeongChang Winter Olympics (2017/2018), Novichok poisoning investigations (2018), and Georgian companies and government entities (2018 and 2019).
A degree of fluidity between individuals and cooperation between different Russian state groups makes it difficult to accurately attribute specific attacks to specific groups. Sandworm is known to have been supported by APT28 (GRU Unit 26165). SolarWinds has been attributed to Sandworm by some researchers, while Mandiant suggested a cooperation between APT29 and another group, Turla, from within Russia’s Federal Security Service (FSB).
Nevertheless, there is little doubt that Sandworm has delivered destructive payloads to many of its victims, including KillDisk, Industroyer and possibly HermeticWiper (Foxblade). This aggression elevates the potential threat from any new backdoor.
It should be said that WithSecure has discovered indications that Sandworm is behind the malware it calls Kapeka, but it does not believe it has enough data to be 100% confident.
This is partly the reason for publishing details now — in the hope that other researchers with additional telemetry might join and further the research into this backdoor. For example, WithSecure currently has no insight on how the Kapeka backdoor is propagated, and is only comfortable saying, “It is likely that Kapeka is a new addition to Sandworm’s arsenal.”
Footnote: Sandworm has also been known over the years as Blue Echidna, ELECTRUM, FROZENBARENTS, G0034, IRIDIUM, IRON VIKING, Quedagh, Seashell Blizzard, TEMP.Noble, TeleBots, UAC-0113, and VOODOO BEAR.
Related: Sandworm Hackers Hit French Monitoring Software Vendor Centreon
Related: Russian APT Used Zero-Click Outlook Exploit
Related: Three Months After Patch, Gov-Backed Actors Exploiting WinRAR Flaw
Related: Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes
