Ukraine, Estonia, and other countries in Eastern Europe have been targeted by Russian state-backed advanced persistent threat operation Sandworm, also known as APT44 and Seashell Blizard, in attacks distributing the new Kapeka malware, also known as KnuckleTouch, since mid-2022, according to The Hacker News.
Intrusions involved the deployment of Kapeka malware that contains a dropper delivering a backdoor spoofing a Microsoft Word add-in that not only gathers impacted systems' information but also facilitates instruction retrieval and processing before proceeding with results exfiltration to the command-and-control server, a report from WithSecure revealed.
Researchers associated the newly discovered payload with Sandworm after discovering similarities with the Prestige and GreyEnergy ransomware strains delivered in previous attacks.
"It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022. It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm's arsenal," said WithSecure.
