A new backdoor named “Kapeka” has been identified to be attacking victims in Eastern Europe since mid-2022.
Kapeka is a flexible backdoor that acts as an initial stage toolkit for the threat actors.
In addition, the backdoor also overlaps with GreyEnergy and Prestige Ransomware attacks, which are linked to a threat group named Sandworm.
Sandworm threat actors are well-known Russian nation-state hackers that are particularly aimed at attacking Ukraine found to be operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Technical Analysis
According to the reports shared with Cyber Security News, this backdoor consists of a dropper that drops and launches a backdoor on the compromised systems and removes itself.
The dropped backdoor will extract information and system information, which will then be sent to the threat actors.
Moreover, it also allows tasks to be passed back to the compromised machine. It is also speculated to have been used during the deployment of Prestige Ransomware in late 2022.
Additionally, this backdoor is also a successor of GreyEnergy.
Dropper Analysis
Kapeka Dropper is a 32-bit Windows Executable file that drops, executes, and sets up persistence for the backdoor on the victim’s machine.
Based on the executing process privilege, the backdoor is dropped as a hidden file inside a folder named “Microsoft” in the path “C:\ProgramData” or “C:\Users\<username>\AppData\Local”.
The process privilege also decides whether the dropper sets the persistence as a scheduled task or autorun registry.
In the case of the scheduled task, a task named “Sens API” is created with the schtasks command and set to run during the system startup as SYSTEM.
In the case of the autorun registry, an autorun entry named “Sens Api” is added under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the ‘reg add’ command.
Backdoor Analysis
The Kapeka Backdoor is a Windows DLL that is written in C++ and compiled using Visual Studio 2017.
The backdoor pretends to be a Microsoft Word Add-in with its extension .wll.
Like any other backdoor, this implementation is multi-threaded and uses event objects for data synchronization and signaling.
There were four main threads for the backdoor launch, which are as follows:
- The first thread performs the initialization and exit routine alongside C2 communication for receiving tasks and configurations.
- The second thread monitors for Windows logoff events and signals the primary thread for performing the backdoor’s exit routine during log-off.
- The third thread monitors incoming tasks that must be processed and also launches subsequent threads for executing every received task from the C2.
- The final thread monitors for task completions and sends back the processed task results to the C2.
The latest version of the backdoor consists of a custom algorithm that implements CRC32 and PRNG operations applied to both GUID and hardcoded values in the binary.
However, the backdoor has both embedded and persistent configurations encoded in JSON format.
| JSON | Key | Value |
| GafpPS | Nested object | Holds the C2 configuration components. |
| LsHsAO | Array | C2 Server URLs (required). This is the only mandatory field for the backdoor’s embedded configuration. |
| hM4cDc | Integer | Maximum live time (days) – The maximum number of days the backdoor will try connecting to the C2 since its initialization or last successful C2 poll before uninstalling itself. If not present, the default amount is 3 days. |
| nLMNzt | Integer | Maximum alive time (days) – The maximum number of days the backdoor will try connecting to the C2 since its initialization or last successful C2 poll before uninstalling itself. If not present, the default amount is 3 days. |
| rggw8m | Nested object | Holds the system time structure objects mentioned below. The values are generated & updated at runtime by the backdoor using GetSystemTimeAsFileTime(). This essentially keeps track of the backdoor’s alive time and last successful C2 poll. This is included in the persisted configuration in the registry. |
| bhpaLg | Integer | System time (Low-order part) |
| sEXtXs | Integer | System time (High-order part) |
| Command ID | Command | Required parameters |
| 0 | NotImplemented | – |
| 1 | Uninstall backdoor | – |
| 2 | Read files from the disk | XVXLNm – File path to read |
| 3 | Write to file on disk | XVXLNm – File path to writeINlB5x – File content to write |
| 4 | Launch process or payload | XVXLNm – Command line to process & launchINlB5x (optional) – Custom payload |
| 5 | Execute shell command | XVXLNm – Shell command to launch |
| 6 | Upgrade backdoor | – |
| Other | Return “unknown\n” | – |
Indicators of Compromise
| Type | Value | Note | Seen in | Seen on |
| Filename | crdss.exe | Backdoor dropper file name | Ukraine | June 2022 |
| Filename | %SYSTEM%\win32log.exe | Backdoor dropper file name | Estonia | September 2022 |
| SHA1 | 80fb042b4a563efe058a71a647ea949148a56c7c | Backdoor dropper hash | Ukraine | June 2022 |
| SHA1 | 5d9c189160423b2e6a079bec8638b7e187aebd37 | Backdoor dropper hash | Estonia | September 2022 |
| SHA1 | 6c3441b5a4d3d39e9695d176b0e83a2c55fe5b4e | Backdoor hash | Estonia | September 2022 |
| SHA1 | 97e0e161d673925e42cdf04763e7eaa53035338b | Backdoor hash | Ukraine | May 2023 |
| SHA1 | 9bbde40cab30916b42e59208fbcc09affef525c1 | Backdoor hash | Ukraine | June 2022 |
| URL | https[:]//103[.]78[.]122[.]94/help/healthcheck | Backdoor C2 address | – | – |
| URL | https[:]//88[.]80[.]148[.]65/news/article | Backdoor C2 address | – | – |
| URL | https[:]//185[.]181[.]229[.]102/home/info | Backdoor C2 address | – | – |
| URL | https[:]//185[.]38[.]150[.]8/star/key | Backdoor C2 address | – | – |
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP
.webp "New macOS Adload Malware Bypasses Built-in macOS Antivirus Detection"){kind=small}
%20(1)%20(1).webp "Token Infrastructure Platform Hacked: $44.5 Million Stolen in Cryptos"){kind=small}