Meet the New Flexible Kapeka Backdoor With Destructive Attacking Capabilities
A brand new backdoor named “Kapeka” has been identified to be attacking victims in Jap Europe since mid-2022.
Kapeka is a versatile backdoor that acts as an preliminary stage toolkit for the likelihood actors.
As neatly as, the backdoor also overlaps with GreyEnergy and Prestige Ransomware attacks, that are linked to a likelihood neighborhood named Sandworm.
Sandworm likelihood actors are vital Russian nation-recount hackers that are in particular geared in opposition to attacking Ukraine stumbled on to be operated by the Most important Directorate of the Well-liked Workers of the Armed Forces of the Russian Federation (GRU).
Technical Prognosis
In step with the reports shared with Cyber Security News, this backdoor contains a dropper that drops and launches a backdoor on the compromised systems and removes itself.
The dropped backdoor will extract info and system info, which is able to then be despatched to the likelihood actors.
Moreover, it also permits tasks to be passed attend to the compromised machine. It’s a ways always presupposed to had been weak all the way in which thru the deployment of Prestige Ransomware in slack 2022.
Additionally, this backdoor will seemingly be a successor of GreyEnergy.
Dropper Prognosis
Kapeka Dropper is a 32-bit Dwelling windows Executable file that drops, executes, and gadgets up persistence for the backdoor on the sufferer’s machine.
Basically based totally totally on the executing job privilege, the backdoor is dropped as a hidden file interior a folder named “Microsoft” within the path “C:ProgramData” or “C:Customers
The technique privilege also decides whether or now not the dropper gadgets the persistence as a scheduled job or autorun registry.
In the case of the scheduled job, a role named “Sens API” is created with the schtasks mumble and situation to disappear all the way in which thru the system startup as SYSTEM.
In the case of the autorun registry, an autorun entry named “Sens Api” is added below HKCUSOFTWAREMicrosoftDwelling windowsCurrentVersionBustle by way of the ‘reg add’ mumble.
Backdoor Prognosis
The Kapeka Backdoor is a Dwelling windows DLL that’s written in C++ and compiled the employ of Visible Studio 2017.
The backdoor pretends to be a Microsoft Note Add-in with its extension .wll.
Fancy any a lot of backdoor, this implementation is multi-threaded and uses occasion objects for data synchronization and signaling.
There had been four important threads for the backdoor launch, that are as follows:
- The main thread performs the initialization and exit routine alongside C2 communication for receiving tasks and configurations.
- The 2nd thread monitors for Dwelling windows logoff occasions and indicators the main thread for performing the backdoor’s exit routine all the way in which thru log-off.
- The third thread monitors incoming tasks that have to be processed and also launches subsequent threads for executing every got job from the C2.
- The final thread monitors for job completions and sends attend the processed job results to the C2.
The most stylish version of the backdoor contains a custom algorithm that implements CRC32 and PRNG operations applied to each and each GUID and hardcoded values within the binary.
Nonetheless, the backdoor has each and each embedded and chronic configurations encoded in JSON layout.
| JSON | Key | Price |
| GafpPS | Nested object | Holds the C2 configuration parts. |
| LsHsAO | Array | C2 Server URLs (required). Here is largely the most productive important field for the backdoor’s embedded configuration. |
| hM4cDc | Integer | Most dwell time (days) – The most need of days the backdoor will strive connecting to the C2 since its initialization or remaining a hit C2 poll sooner than uninstalling itself. If now not contemporary, the default amount is 3 days. |
| nLMNzt | Integer | Most alive time (days) – The most need of days the backdoor will strive connecting to the C2 since its initialization or remaining a hit C2 poll sooner than uninstalling itself. If now not contemporary, the default amount is 3 days. |
| rggw8m | Nested object | Holds the system time construction objects talked about beneath. The values are generated & up to this level at runtime by the backdoor the employ of GetSystemTimeAsFileTime(). This essentially keeps note of the backdoor’s alive time and remaining a hit C2 poll. Here is incorporated within the persevered configuration within the registry. |
| bhpaLg | Integer | Gadget time (Low-teach section) |
| sEXtXs | Integer | Gadget time (High-teach section) |
| Enlighten ID | Enlighten | Required parameters |
| 0 | NotImplemented | – |
| 1 | Uninstall backdoor | – |
| 2 | Read files from the disk | XVXLNm – File route to read |
| 3 | Write to file on disk | XVXLNm – File route to writeINlB5x – File issue to jot down |
| 4 | Commence job or payload | XVXLNm – Enlighten line to job & launchINlB5x (optional) – Custom payload |
| 5 | Set shell mumble | XVXLNm – Shell mumble to launch |
| 6 | Crimson meat up backdoor | – |
| Other | Return “unknownn” | – |
Indicators of Compromise
| Kind | Price | Show | Viewed in | Viewed on |
| Filename | crdss.exe | Backdoor dropper file identify | Ukraine | June 2022 |
| Filename | %SYSTEM%win32log.exe | Backdoor dropper file identify | Estonia | September 2022 |
| SHA1 | 80fb042b4a563efe058a71a647ea949148a56c7c | Backdoor dropper hash | Ukraine | June 2022 |
| SHA1 | 5d9c189160423b2e6a079bec8638b7e187aebd37 | Backdoor dropper hash | Estonia | September 2022 |
| SHA1 | 6c3441b5a4d3d39e9695d176b0e83a2c55fe5b4e | Backdoor hash | Estonia | September 2022 |
| SHA1 | 97e0e161d673925e42cdf04763e7eaa53035338b | Backdoor hash | Ukraine | Would per chance perhaps 2023 |
| SHA1 | 9bbde40cab30916b42e59208fbcc09affef525c1 | Backdoor hash | Ukraine | June 2022 |
| URL | https[:]//103[.]78[.]122[.]94/assist/healthcheck | Backdoor C2 address | – | – |
| URL | https[:]//88[.]80[.]148[.]65/info/article | Backdoor C2 address | – | – |
| URL | https[:]//185[.]181[.]229[.]102/dwelling/info | Backdoor C2 address | – | – |
| URL | https[:]//185[.]38[.]150[.]8/superstar/key | Backdoor C2 address | – | – |
Source credit : cybersecuritynews.com
