Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Kapeka Shows Similarities to Russian GRU Hacking Group’s GreyEnergy Malware
Likely Russian military intelligence hackers known as Sandworm since at least mid-2022 have deployed a new and highly flexible back door against Eastern European targets, warn security researchers.
Security firm WithSecure says the backdoor, which it dubs “Kapeka,” shows overlaps with known Sandworm malware GreyEnergy and the group’s malicious encryption attacks in 2022 made with a ransomware variant that advertised itself as “Prestige.”
Researchers discovered Kapeka – it means “little stork” in Russian – in mid-2023 while investigating unknown backdoor detected in an Estonian logistics company. The company assess hackers installed the backdoor in 2022.
“The backdoor’s victimology, infrequent sightings and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin,” WithSecure said. Microsoft has also detected the malware, tracking it as KnuckleTouch1 and attributing it in a February blog post to Sandworm, which Redmond tracks as Seashell Blizzard.
Although it ranks among the global heavyweights of intelligence agency hacking teams, Sandworm is known for its caution in deploying bespoke malware in a desire to over expose expensively-custom coded applications to detection and countermeasures. “Kapeka’s infrequent sightings can be a testament for its meticulous usage by an advanced persistent actor (APT) in operations that span over years, such as the Russia-Ukraine conflict,” the WithSecure report reads.
The Kapeka backdoor operates as a 32-bit and 64-bit Windows executable, responsible for dropping, executing and establishing persistence. Like GreyEnergy, Kapeka consists of a dropper component that has the main backdoor embedded into it. Both applications create folder called “Microsoft” in the file system directory containing application data for all users – if the victim has admin privileges – or in the file system directory for local applications. “Both backdoor DLLs are exported and called by the first ordinal (#1) via rundll32. This is an uncommon yet not unique method of exporting DLLs.” Both also generate a similar encryption key that’s also similar in length.
“It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm’s arsenal,” WithSecure said.
Kapeka’s deployment coincided with reported instances of Prestige ransomware attacks in Poland and Ukraine in fall 2022, incidents that Microsoft attributed to Sandworm (see: Microsoft Warns of Growing Russian Digital Threats to Europe).
Kapeka “was likely used in intrusions that led to the deployment of Prestige ransomware in late 2022,” WithSecure said.