Emerging from the shadows of the cyber landscape, a previously undocumented backdoor named Kapeka has surfaced in cyber attacks primarily targeting Eastern European nations, with notable instances observed in Estonia and Ukraine since mid-2022. Identified by Finnish cybersecurity firm WithSecure, the malware has been linked to the Russia-associated advanced persistent threat (APT) group Sandworm, also known as APT44 or Seashell Blizzard.
Described as a “flexible” backdoor, Kapeka boasts a range of capabilities aimed at facilitating various stages of a cyber intrusion, from initial exploitation to establishing persistent access within the victim’s infrastructure. According to security researcher Mohammad Kazem Hassan Nejad, the malware comprises a dropper responsible for initiating the deployment of the backdoor component onto the compromised system, subsequently ensuring its removal to evade detection.
Microsoft, in its advisory from February 2024, outlined Kapeka’s involvement in multiple cyber campaigns, highlighting its capacity to execute diverse functions such as credential theft, data exfiltration, destructive attacks, and enabling remote access for threat actors. Leveraging a Windows DLL written in C++, the backdoor employs an embedded command-and-control (C2) configuration to communicate with actor-controlled servers, enabling the retrieval of commands and transmission of executed tasks.
Notably, Kapeka demonstrates a level of sophistication in its propagation and operation, utilizing techniques such as masquerading as a legitimate Microsoft Word add-in and leveraging the WinHttp 5.1 COM interface for network communication. Moreover, its capability to update C2 configurations dynamically underscores its adaptability and resilience against detection and mitigation efforts.
The exact propagation method remains undisclosed, although Microsoft has indicated the use of a legitimate utility, certutil, to retrieve the dropper from compromised websites, showcasing the APT’s adeptness at leveraging living-off-the-land binaries (LOLBins) for attack orchestration. Given its conceptual and configuration similarities with previously identified APT families like GreyEnergy and Prestige, Kapeka represents a significant evolution in Sandworm’s arsenal, posing a substantial threat to targeted entities.
