[[{“value”:”
Kapeka, also known as KnuckleTouch, is a sophisticated backdoor malware that has been making waves in the cybersecurity world.
Initially appearing in mid-2022, it wasn’t until 2024 that Kapeka was formally tracked due to its involvement in limited-scope attacks, particularly in Eastern Europe.
The Sandstorm Connection Kapeka is linked to the Sandstorm Group, operated by Russia’s Military Unit 74455, known for its disruptive cyber activities.
This group, also referred to as Sandworm, has a history of targeting Ukraine’s critical infrastructure amidst geopolitical tensions.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Kapeka exhibits a range of advanced functionalities, including initialization, command-and-control (C2) communication, task execution, and persistence mechanisms.
Kapeka utilizes a dropper malware to initiate the infection process.
This dropper deploys the actual backdoor file (a Windows DLL) disguised as a “.wll” file and positions it within system directories like “ProgramData” or “AppData.”
To ensure continuous operation, Kapeka employs multiple persistence mechanisms:
Autorun Registry: Modification alters the autorun registry key to execute the backdoor file upon system startup.
Scheduled Tasks: It creates a scheduled task using “schtasks.exe” to achieve persistence, especially if the initial method fails due to privilege limitations.
Batch File Removal: A batch file is dropped to eliminate the original dropper after successful backdoor deployment.
C2 Communication and Functionality Highlights
Kapeka communicates with its command-and-control (C2) server using the WinHttp API, exchanging data in JSON format.
The C2 configuration is encrypted with AES-256 for enhanced security.
Here’s a breakdown of Kapeka’s key functionalities:
Initialization and Fingerprinting: It gathers information about the victim’s system (operating system details, usernames, machine/domain names) through system calls and registry searches. This data is then converted to JSON for transmission.
Task Execution: Based on C2 server commands, Kapeka can perform various actions on the compromised system, including:
Self-uninstallation
Downloading files from the C2 server
Uploading files to the C2 server
Executing commands or launching new processes
Updating itself with a newer version
Running shell commands
These features pose significant challenges to detection and underline the backdoor’s advanced capabilities.
Post Investigation, LOGPOINT recommends organizations leverage security tools like SIEM (Security Information and Event Management) solutions to detect suspicious activities.
Here are some potential indicators of compromise (IOCs) to look for:
Registry key modifications related to autorun entries containing suspicious file paths (e.g.,”AppDataLocalMicrosoftjagyg.wll”)
Scheduled tasks with unusual names like “Sens Api” referencing specific commands.
Processes associated with “rundll32.exe” executing “.wll” files located in non-standard directories.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
The post SandStorm Hackers Added New Kapeka Tool to it’s Arsenal appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
