Ransomware, Network Security, Threat Intelligence

Novel Kapeka backdoor leveraged in Sandworm attacks

Russia and Presidential elections

Ukraine, Estonia, and other countries in Eastern Europe have been targeted by Russian state-backed advanced persistent threat operation Sandworm, also known as APT44 and Seashell Blizard, in attacks distributing the new Kapeka malware, also known as KnuckleTouch, since mid-2022, according to The Hacker News.

Intrusions involved the deployment of Kapeka malware that contains a dropper delivering a backdoor spoofing a Microsoft Word add-in that not only gathers impacted systems' information but also facilitates instruction retrieval and processing before proceeding with results exfiltration to the command-and-control server, a report from WithSecure revealed.

Researchers associated the newly discovered payload with Sandworm after discovering similarities with the Prestige and GreyEnergy ransomware strains delivered in previous attacks.

"It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022. It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm's arsenal," said WithSecure.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.