Kapeka, also known as KnuckleTouch, is a sophisticated backdoor malware that has been making waves in the cybersecurity world.
Initially appearing in mid-2022, it wasn’t until 2024 that Kapeka was formally tracked due to its involvement in limited-scope attacks, particularly in Eastern Europe.
The Sandstorm Connection Kapeka is linked to the Sandstorm Group, operated by Russia’s Military Unit 74455, known for its disruptive cyber activities.
This group, also referred to as Sandworm, has a history of targeting Ukraine’s critical infrastructure amidst geopolitical tensions.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Kapeka exhibits a range of advanced functionalities, including initialization, command-and-control (C2) communication, task execution, and persistence mechanisms.
Kapeka utilizes a dropper malware to initiate the infection process.
This dropper deploys the actual backdoor file (a Windows DLL) disguised as a “.wll” file and positions it within system directories like “ProgramData” or “AppData.”
To ensure continuous operation, Kapeka employs multiple persistence mechanisms:
- Autorun Registry: Modification alters the autorun registry key to execute the backdoor file upon system startup.
- Scheduled Tasks: It creates a scheduled task using “schtasks.exe” to achieve persistence, especially if the initial method fails due to privilege limitations.
- Batch File Removal: A batch file is dropped to eliminate the original dropper after successful backdoor deployment.
C2 Communication and Functionality Highlights
Kapeka communicates with its command-and-control (C2) server using the WinHttp API, exchanging data in JSON format.
The C2 configuration is encrypted with AES-256 for enhanced security.
Here’s a breakdown of Kapeka’s key functionalities:
- Initialization and Fingerprinting: It gathers information about the victim’s system (operating system details, usernames, machine/domain names) through system calls and registry searches. This data is then converted to JSON for transmission.
Task Execution: Based on C2 server commands, Kapeka can perform various actions on the compromised system, including:
- Self-uninstallation
- Downloading files from the C2 server
- Uploading files to the C2 server
- Executing commands or launching new processes
- Updating itself with a newer version
- Running shell commands
These features pose significant challenges to detection and underline the backdoor’s advanced capabilities.
Post Investigation, LOGPOINT recommends organizations leverage security tools like SIEM (Security Information and Event Management) solutions to detect suspicious activities.
Here are some potential indicators of compromise (IOCs) to look for:
- Registry key modifications related to autorun entries containing suspicious file paths (e.g.,”AppDataLocalMicrosoftjagyg.wll”)
- Scheduled tasks with unusual names like “Sens Api” referencing specific commands.
- Processes associated with “rundll32.exe” executing “.wll” files located in non-standard directories.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide