Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44

The Forrester Wave™: Managed Detection and Response, Q2 2023

Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44

Kapeka Backdoor is a sophisticated malware that prepares a platform for malware execution by communicating with infected devices. Through command-and-control (C2) communication, attackers can send commands and take control of target systems. This backdoor is similar to another backdoor known as QUEUESEED, which has the same hash and characteristics. Both malware have been attributed to the Russian APT group Sandworm.

This report aims to highlight the importance of this threat by discussing the technical details and attack vectors of the Kapeka Backdoor in detail. It also aims to help organizations be better prepared for such attacks by providing information on attack detection and defense strategies.

Key findings include:

  • The analysis revealed that the Russian APT44 group has actively used this malware since 2022.
  • The latest iteration of the backdoor includes a special algorithm that applies CRC32 and PRNG operations to both GUID and hard-coded values within the binary file. Furthermore, the embedded and persistent configurations of the backdoor are encoded in JSON format.
  • APT44 is a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Russia, with a particular focus on Ukraine. 
  • MITRE ATT&CK techniques, Mitigation strategies, Indicators of Compromise (IOCs).

ThreatMon Free Trial

Download Download Here

Start Your Free Trial Now!

The free trial of ThreatMon allows users to explore the product's security benefits. During this trial period, you can test Threat Intelligence data, detect threats to your organization and recommend security measures.

Start Free Trial