Meet the New Flexible Kapeka Backdoor With Destructive Attacking Capabilities

A new backdoor named “Kapeka” has been identified to be attacking victims in Eastern Europe since mid-2022.

Kapeka is a flexible backdoor that acts as an initial stage toolkit for the threat actors.

In addition, the backdoor also overlaps with GreyEnergy and Prestige Ransomware attacks, which are linked to a threat group named Sandworm.

Sandworm threat actors are well-known Russian nation-state hackers that are particularly aimed at attacking Ukraine found to be operated by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Technical Analysis

According to the reports shared with Cyber Security News, this backdoor consists of a dropper that drops and launches a backdoor on the compromised systems and removes itself.

The dropped backdoor will extract information and system information, which will then be sent to the threat actors.

Moreover, it also allows tasks to be passed back to the compromised machine. It is also speculated to have been used during the deployment of Prestige Ransomware in late 2022.

Additionally, this backdoor is also a successor of GreyEnergy.

Overview of Kapela Backdoor (Source: WithSecure)
Overview of Kapela Backdoor (Source: WithSecure)

Dropper Analysis

Kapeka Dropper is a 32-bit Windows Executable file that drops, executes, and sets up persistence for the backdoor on the victim’s machine.

Based on the executing process privilege, the backdoor is dropped as a hidden file inside a folder named “Microsoft” in the path  “C:\ProgramData” or “C:\Users\<username>\AppData\Local”.

The process privilege also decides whether the dropper sets the persistence as a scheduled task or autorun registry.

In the case of the scheduled task, a task named “Sens API” is created with the schtasks command and set to run during the system startup as SYSTEM. 

In the case of the autorun registry, an autorun entry named “Sens Api” is added under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the ‘reg add’ command. 

Backdoor Analysis

The Kapeka Backdoor is a Windows DLL that is written in C++ and compiled using Visual Studio 2017.

The backdoor pretends to be a Microsoft Word Add-in with its extension .wll.

Like any other backdoor, this implementation is multi-threaded and uses event objects for data synchronization and signaling.

There were four main threads for the backdoor launch, which are as follows:

  • The first thread performs the initialization and exit routine alongside C2 communication for receiving tasks and configurations. 
  • The second thread monitors for Windows logoff events and signals the primary thread for performing the backdoor’s exit routine during log-off.
  • The third thread monitors incoming tasks that must be processed and also launches subsequent threads for executing every received task from the C2.
  • The final thread monitors for task completions and sends back the processed task results to the C2.

The latest version of the backdoor consists of a custom algorithm that implements CRC32 and PRNG operations applied to both GUID and hardcoded values in the binary.

However, the backdoor has both embedded and persistent configurations encoded in JSON format. 

GafpPSNested objectHolds the C2 configuration components.
LsHsAOArrayC2 Server URLs (required). This is the only mandatory field for the backdoor’s embedded configuration.
hM4cDcIntegerMaximum live time (days) – The maximum number of days the backdoor will try connecting to the C2 since its initialization or last successful C2 poll before uninstalling itself. If not present, the default amount is 3 days.
nLMNztIntegerMaximum alive time (days) – The maximum number of days the backdoor will try connecting to the C2 since its initialization or last successful C2 poll before uninstalling itself. If not present, the default amount is 3 days.
rggw8mNested objectHolds the system time structure objects mentioned below. The values are generated & updated at runtime by the backdoor using GetSystemTimeAsFileTime(). This essentially keeps track of the backdoor’s alive time and last successful C2 poll. This is included in the persisted configuration in the registry.
bhpaLgIntegerSystem time (Low-order part)
sEXtXsIntegerSystem time (High-order part)
Command IDCommandRequired parameters
1Uninstall backdoor
2Read files from the diskXVXLNm – File path to read
3Write to file on diskXVXLNm – File path to writeINlB5x – File content to write
4Launch process or payloadXVXLNm – Command line to process & launchINlB5x (optional) – Custom payload
5Execute shell commandXVXLNm – Shell command to launch
6Upgrade backdoor 
OtherReturn “unknown\n”

Indicators of Compromise

TypeValueNoteSeen inSeen on
Filenamecrdss.exeBackdoor dropper file nameUkraineJune 2022
Filename%SYSTEM%\win32log.exeBackdoor dropper file nameEstoniaSeptember 2022
SHA180fb042b4a563efe058a71a647ea949148a56c7cBackdoor dropper hashUkraineJune 2022
SHA15d9c189160423b2e6a079bec8638b7e187aebd37Backdoor dropper hashEstoniaSeptember 2022
SHA16c3441b5a4d3d39e9695d176b0e83a2c55fe5b4eBackdoor hashEstoniaSeptember 2022
SHA197e0e161d673925e42cdf04763e7eaa53035338bBackdoor hashUkraineMay 2023
SHA19bbde40cab30916b42e59208fbcc09affef525c1Backdoor hashUkraineJune 2022
URLhttps[:]//103[.]78[.]122[.]94/help/healthcheckBackdoor C2 address
URLhttps[:]//88[.]80[.]148[.]65/news/articleBackdoor C2 address
URLhttps[:]//185[.]181[.]229[.]102/home/infoBackdoor C2 address
URLhttps[:]//185[.]38[.]150[.]8/star/keyBackdoor C2 address

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP