Understanding the ‘Kapeka’ Backdoor: Detailed Analysis by APT44

Download Report

Kapeka Backdoor is a sophisticated malware that prepares a platform for malware execution by communicating with infected devices. Through command-and-control (C2) communication, attackers can send commands and take control of target systems. This backdoor is similar to another backdoor known as QUEUESEED, which has the same hash and characteristics. Both malware have been attributed to the Russian APT group Sandworm.

This report aims to highlight the importance of this threat by discussing the technical details and attack vectors of the Kapeka Backdoor in detail. It also aims to help organizations be better prepared for such attacks by providing information on attack detection and defense strategies.

Key findings include:

The analysis revealed that the Russian APT44 group has actively used this malware since 2022.
The latest iteration of the backdoor includes a special algorithm that applies CRC32 and PRNG operations to both GUID and hard-coded values within the binary file. Furthermore, the embedded and persistent configurations of the backdoor are encoded in JSON format.
APT44 is a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Russia, with a particular focus on Ukraine.
MITRE ATT&CK techniques, Mitigation strategies, Indicators of Compromise (IOCs).

Relevant Reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields: