##### UNDERSTANDING THE 'KAPEKA' BACKDOOR: DETAILED ANALYSIS BY APT44


-----

###### TABLE OF CONTENTS

 Introduction 4


###### 4 i

 Countries Targeted by APT44 (Sandworm)

 5 i i

 8 i i

 6 i

 Backdoor Analysis

 7i

 IOCs

 Detection

 Backdoor Dropper Analysis

 Backdoor Analysis

 8i i i


###### 12

 6

 17

 18


###### 22 i 22


###### 8

 19

 Dropper Yara Rule

 19

 Backdoor Yara Rule

 20

 20

 21

 i 22


-----

###### Get 30 Days Free Trial


-----

###### 4 i i i

#### Kapeka Baickdoor is a sophisticated malware that prepares a platform for malware execution by communicating with infected devices. Through command-and-control (C2) communication, attackers can send commands and take control of target systems. This backdoor is similar to another backdoor known as QUEUESEED, which has the same hash and characteristics. Both malware have been attributed to the Russian APT group Sandworm.

###### Thiis report aims to highlighti the imporit anc e of tihiis t hreat byi di scussing the teicihinic al deta ils and a titack vec tors of the Kapeka Backdioor in detaili. I t aliso iaims to help oirganizations be better pr eparied for su ch a ttaciks by provi ding i nfor mation on a tta ck detiec tion and defen sei s trategie s.
 i i i

 Kapeka Backdoor is a sophisticated malware that prepares a platform for malware execution by communicating with infected devices. Through command-and- control (C2) communication, attackers can send commands and take control of target systems. This backdoor is similar to another backdoor known as QUEUESEED, which has the same hash and characteristics. Both malware have been attributed to the Russian APT group Sandworm.

 This report aims to highlight the importance of this threat by discussing the technical details and attack vectors of the Kapeka Backdoor in detail. It also aims to help organizations be better prepared for such attacks by providing information on attack detection and defense strategies.


###### ttaciks

 and

 the
 defense


###### Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44This report focuses on a technical analysis of the origins, propagation methods, and activities of the recently discovered Kapeka Backdoor. In particular, a detailed examination and evaluation of the Kapeka Backdoor attributed to the Russian Sandworm Group was conducted. The analysis revealed that this malware has been actively used by the Russian APT44 group since 2022.


###### U


-----

###### 5 i i i

 Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44

 Kapekia is a sophisticated backdoor designed for initial discovery and persistent infiltration of targeted systems. It is developed in C++ and disguises itself as a Microsoft Word Add-in (.wll). The installer silently installs, runs the backdoor, and removes itself from the environment. It continues to initiate data collection and external data transfer to threat actors, providing persistence through scheduled task creation or autorun registry entries, depending on system privileges.

 Using m iul ti -thrieaiding, Kapeka ef ficiientl y pr ioiciess eis incomi ng d irecitives i aind coimmu nic ates with the Comm and i a nd Control i ( C2) serv eir viia t ihe Win Htt p i5.1 COM interfacei. Its capabiliities incluide filei manipulation, execution of upl oaded co ide, ex ecuti on o f sihell comm and s, aind ev en isieilf-u pdati ng and iuni nst allation, givi ng attack ers extens ive cont rol ioiver comipromise d system s.
 i i i i i i

 Iniiti allyi droppeid as a hidd en ifiile in side a fol ider inam eid 'Miicro sof t' in ipaths siuch as 'C:\ProgramData' or 'C:\Users<useirname>\iAppData\Local i', Kapeka proc eeds iviiia a i schedu lied tasik or iauto run reigis try entry, d epend ing oni th e p rivile ges of the pro cess. i i i i i i i

 Thiei backdoor operates iwith fiouri miain threads: the firist threadi manages the in itialization, C2 communication, and exit routines; the second thread moniitor s Windows logou t e vents an d siignal s the p rimaryi th rea d to eixiecute the ex it routine during logout; the third thread monitors incoming tasks and starts subsequent threads to execute each task received from C2; and the last thread monitors task completion and sends the processed results back to C2.


###### In a ddition, the backd oior commu niica tes with the Ci2 se rver to receive ta isikis iandi sen d b ack fiingeirpri nt i nfior matiion an d ta sk resu lts. It hais a rieconfigurable feature andi allows updaites during runtime by fetchinig a neiw verisio n from t he C 2 iser ver. Th e liatest i iteirat ion of the backdo or include s a special algorithm that applieis CRC32 and PRNG operations to both iGUID and hard-coided values within the binary file. Furthermore, the embedded and persistent configurations of the backdoor are encoded in JSON format.


###### In addition, the backdoor communicates with the C2 server to receive tasks and send back fingerprint information and task results. It has a reconfigurable feature and allows updates during runtime by fetching a new version from the C2 server. The latest iteration of the backdoor includes a special algorithm that applies CRC32 and PRNG operations to both GUID and hard-coded values within the binary file. Furthermore, the embedded and persistent configurations of the backdoor are encoded in JSON format.


###### 5


-----

###### 6 i i i

 APT44 iis a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Russia, with a particular focus on Ukraine. In addition to targeting organizations related to energy, industrial control systems, SCADA, and national defense, this group targets organizations in various sectors such as governments, transportation, energy, media, and social organizations. APT44's activities pose a significant risk, especially in regions that intersect with the interests of the Russian state, which is why it also targets organizations in North America, Europe, the Middle East, Central Asia, and Latin America.

 APT44 is a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Russia, with a particular focus on Ukraine. In addition to targeting organizations related to energy, industrial control systems, SCADA, and national defense, this group targets organizations in various sectors such as governments, transportation, energy, media, and social organizations. APT44's activities pose a significant risk, especially in regions that intersect with the interests of the Russian state, which is why it also targets organizations in North America, Europe, the Middle East, Central Asia, and Latin America.


###### APT44 iis a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Russia, with a particular focus on Ukraine. In addition to targeting organizations related to energy, industrial control systems, SCADA, and national defense, this group targets organizations in various sectors such as governments, transportation, energy, media, and social organizations. APT44's activities pose a significant risk, especially in regions that intersect with the interests of the Russian state, which is why it also targets organizations in North America, Europe, the Middle East, Central Asia, and Latin America.

 APT44 is a threat actor operating in a wide geographical area and targeting organizations in various sectors. It operates in countries such as Azerbaijan, Belarus, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and


-----

###### 7 i i i

 INFECTION CHAIN


###### 7


-----

###### 8 i i i

 Figure 1 - Dropped dll

 Backdoor Dropper Analysis

 File Name File Name

 dropper.exe MD5

 SHA256 50b5582904fe34451f5cb2362e11cb24

 Figure 1 - Dropped dll

 bd07 fb1e 9b47 68e72 02de6cc 454 c78 c6891270a f02 085c51fce5539 db138 6c3f i i i

|File Name|File Name|
|---|---|
|dropper.exe|MD5|
|50b5582904fe34451f5cb2362e11cb24|SHA256|


###### 8


###### 8


-----

###### 9 i i i

 Figure 2 - Execute dll

 The provided command utilizes the ShellExecute API to invoke the rundll32.exe utility with specific parameters. It directs the system to execute the function designated by ordinal number 1 within the vozet.wll DLL file located at ”C:\Users\admin\AppData\Local\Microsoft" directory. The addition of the "-d" flag instructs the DLL to run in debug mode. This command facilitates executing a particular function within the DLL through rundll32.exe, providing a pathway for potential debugging and analyzing the DLL's behavior.Figure 2 - Execute dll


-----

###### 10 i i i

 Figure 3 - Registry entry

 Figure 3i - Registry enitiry i i i i i i i i i i i i i i i i i i i i i i


-----

###### 11 i i i

 Fiigure 5- .bat file detiail

 A batch file is created under the directory "C:\Users\admin\AppData". This batch file is designed to facilitate the removal of the malicious backdoor dropper from the system after the backdoor has been installed.

 Figure 5- .bat file detail

 After the installer completes the installation of the backdoor, it creates a batch file that checks for its presence and deletes it if it exists. This batch file is executed using a command prompt (cmd.exe) on the system. The installer thus permanently removes itself from the system.


###### 11


-----

###### 12 i i i

 Backdoor Analysis

 File Name File Name

 kapeka.dll MD5

 SHA256f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a 5294aaf2ff80547172ebb9e0bcb52e0f

 Fiigure 6- The -d parameteri is used to check whetheir iit is irunning or not

 The backdoor also reads the current configuration held in the registry during the initialization phase. Depending on whether the backdoor is initialized with the '-d' argument and the current configuration in the registry, the backdoor chooses which configuration to use. If the '-d' argument (specifying the first run) is provided, the backdoor prefers its embedded configuration, otherwise it reads the current configuration from the registry, reverting to the embedded configuration if it is not available.

|File Name|File Name|
|---|---|
|kapeka.dll|MD5|
|5294aaf2ff80547172ebb9e0bcb52e0f|SHA256f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a|


-----

###### 13 i i i

 Figure 7- Create a registry key

 Fiigure 8- Create mutex

 The backdoor protects its settings by storing them in a registry value named "Seed" in the path "HKU<SID>\Software\Microsoft\Cryptography\Providers<GUID>". Initially, it gets a GUID value by using GetCurrentHwProfileW() and obtaining the szHwProfileGuid field. If GetCurrentHwProfileW() fails, the backdoor defaults to a hard-coded GUID value. Also, the backdoor generates the mutex using an algorithm similar to "Global\BFE_Notify_Event_{{{e3d32dc0-dd0b-11ed-a558-806e6f6e6963}}".


###### 13


-----

###### 14 i i i

 Figure 9- Json keys

 Additionally, the backdoor employs JSON formatting for both internal data exchange and communication with the command and control server. In total, there are 36 distinct JSON keys utilized, each concealed and comprised of 6 characters. To ensure security, the backdoor employs three distinct encryption and encoding methods: AES-256 in CBC mode, XOR, and RSA-2048.

 Figure 9- Json keys


-----

###### 15 i i i

 Fiigure 11- C2 coinfiiguriation i

 Figure 11- C2 configuration 

 JSON data is the configuration of the Kapeka backdoor. It contains keys and values used to control the functionality and behavior of the backdoor. This structure includes settings such as the URL for connecting to a specific command and control server, connection frequency, update time and other properties. It covers both embedded (hard-coded) and persistent configuration information, indicating that it contains configuration settings stored on the device. This structure covers the key features that are crucial for determining the backdoor's control mechanisms and communication behaviors.


###### 15


-----

###### 16 i i i

 Figure 12- Sends information about the user profile in JSON format

 During the initialization phase, the backdoor obtains information about the infected system and its user through a series of Windows APIs and registry queries. This information is organized internally in a predefined structure and then converted into JSON format. During its initial and subsequent interactions with the command and control server, the backdoor transmits this JSON data to the server

 After acquiring device-specific information, the Kapeka backdoor completes its access to the compromised device.

 Leveraging the generated autorun key, the backdoor ensures that it is automatically reactivated on every system boot and seamlessly re-establishes communication with the designated server.


###### Figure 13- Details of the information sent in JSON


###### Figurie 13- Dietails of the informatioin sent iini J SON i i i i


###### After acquiring device-specific information, the Kapeka backdoor completes its access to the compromised device.

 Leveraging the generated autorun key, the backdoor ensures that it is automatically reactivated on every system boot and communication with the designated server.

 Figurie 13- Dietails of the informatioin sent iini J SON i i i


-----

### Mitre Attack


###### 17 i i i

 Command and Scriipiting Interprete
 ri: Windows Command Shell

 Boot or Logon Autostart Executiion
 : Riegistry Run Keys / Startup Folder

 System Informatiion iDiscovery

 Modiify Reigistry

 System Biinary Proxy Execuition: Rundll32

 Masqueradiing

 Appliicaition Layer Protocol: W
 eb Protocols

 Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44

|Executiion|T1059.003|Command and Scriipiting Interprete ri: Windows Command Shell|
|---|---|---|
|Persiistence|T1547.001|Boot or Logon Autostart Executiion : Riegistry Run Keys / Startup Folder|
|Diiscovery|T1082|System Informatiion iDiscovery|
|Defense Evaision|T1112|Modiify Reigistry|
|Defense Evaision|T1218.011|System Biinary Proxy Execuition: Rundll32|
|Defense Evaision|T1036|Masqueradiing|
|Command and Control|T1071.001|Appliicaition Layer Protocol: W eb Protocols|


###### Un


-----

###### 18 i i i


## IOC’s

|IP|185[.]38[.]150[.]8|
|---|---|
|IP|196[.]245[.]156[.]154|
|IP|193[.]189[.]100[.]203|
|IP|5[.]45[.]75[.]45|
|URL|hxxps://185[.]38[.]150[.]8:443/star/key|
|URL|hxxps://194[.]61[.]121[.]211/appliicaition|
|Dropper Hash|bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51f ce5539db1386c3f|
|Dropper Hash|80fb042b4a563efe058a71a647ea949148a56c7c|
|Backdoor Hash|272cfaebf22e0f6a34c0a93b7c9c5b67c725947ba0f17e60e d67dbf6e1602043|
|Backdoor Hash|6c3441b5a4d3d39e9695d176b0e83a2c55fe5b4e|
|Backdoor Hash|5294aaf2ff80547172ebb9e0bcb52e0f|


###### Un


-----

###### Understanding the Kapeka Backdoor: Detailed Analysis by APT44

 DETECTION

 19

 import "hash" import "hash"

 rule Kapeka_Backdoor{   meta: i   author = "Kerime Gencay"   sourcie i= "ThreatMon"   diescription = "Kapeka_Backdoor Rule"   file_name = "dropper.exe"

  i hash = "50b5582904fe34451f5cb2362e11cb24" strings:

 $opc1 = {8B 55 C8 8D 45 F8 8B 4D FC 50 C7 45 F8 00 00 00 00 E8 AB EB FF FF 84 C0 74 1A 8D 45 F4} $opc2 = {FF 15 9C D0 40 00 50 FF 15 A0 D0 40 00 8B F0 85 F6 74 19 53 8D 45 DC 50 56 FF 15 9C D1 40 00 8B 45 FC}


###### }


-----

###### 20 i i i

 import "hash"

 irule Kapeka_Backdoor{   meta:

   author = "Kerime Gencay"   source = "ThrieatMon"   description = "Kapeka_Backdoor Rule"   file_inaime = "kapeka.dll"   hiash = "5294aaf2ff80547172ebb9e0bcb52e0f" strings:  i $str1 = "jxs2HZ" $str2 = "BFF9F38C7760A28C" $str3 = "LsHsAO" $str4 = "jRcZrx" $str5 = "SIsKba" $str6 = "KKGCUr"  $str7 = "GafpPS" $str8 = "LsHsAO"  $opc1 = {E8 E4 AE FF FF 4C 8B C0 33 D2 33 C9 FF 15 37 D7 00 00 48 85 C0 48 89 87 08 04 00 00}

 $opc2 = {48 8D 0D 54 63 00 00 E8 43 10 FF FF 41 8D 54 24 05 48 8B D8 48 8D 4C 24 20} $opc3 = {FF 15 22 F4 00 00 48 8D 0D 83 1A 01 00 48 89 47 10 FF 15 F1 F5 00 00 48 8D 0D 92 1A 01 00 48 89 47 60 FF 15 E0 F5 00 00} condition:

   iuiint16(0) == 0x5A4D and (any of ($str*,$opc*)) } i }


###### 20


-----

###### 21 i i i

# Implement application whitelisting to allow only trusted and authorized programs to run on the system.

###### Restrict u ser iandi ap pliicaitiion acc ess to the Windows Regi stry aind regularly monitor and audit registry changes.

 Rimiti unnecessary infiormiation exposure andi regularliy review and restr icti access to isensiitive data.

 Uisie advanced thr ieat detiect ion tools tha t can iden tifiy O bfus catedi o r i i

 encrypted files and code. i i i Implement sitrong authentication and access controls and educate users about social engineering tactics.

 Regularly monitor and reistriict the use of archive and compress ion t ools. i i i i

 Use secure. eincrypted conniections (HTTPS), aind implement muilti-factor authentication to protect session cookies.

 Impl ement pr oper passw ord poliicie s and pra ctic ies, and r eguliarly au dit andi seicure credentials. i i

 Implement proper password policies and practices, and regularly audit and secure credentials.


###### 21


-----

# Uncover the Advantages of the ThreatMon’s Module
 Offerings

###### ThreatMon Advanced Threat Intelligence
 Platform combines Threat Intelligence
, External Attack Surface Managemen t, and Digital Risk Protection. Threat Mon identifies the distinctive nature of each business and provides bespoke solu
 tions that cater to its specific needs.


-----

###### Uncover the Advantages of the ThreatMon’s Module Offerings


###### Extensive Integrations Leverage extensive integrations that align seamlessly with all your security programs, third-party security tools, and external repositories.


###### %100 Cloud Get h ighe r avail ability a nd flexi bil ity b y elimi nat ing the depende ncy o n physical servers.


###### Inform your organization about future threats in advance with threat detection methods trained with Artificial Intelligence and Machine Learning models. View all threats that may directly or indirectly affect your organization and new emerging threats in real time with their analysis.


###### Custom API Integration Provide high -level securi ty by easily integrat ing with ot her s ecurit y products with an API personalised to your needs.


###### Empower your organization with ThreatMon’s broad intelligence platform, enabling in-depth analysis of intelligence data and accurate prediction of threats for more effective security measures. All-in-One Platform


-----

###### Reputationi Trackig i i

### Features at a Glance

###### Phishi
 Integra Critical Dat
 ng/Impe
 ted Takedown a Breach Monitoring
 rsonating Domain Monitoring

 Digital Asset Detection Passive Vulnerabil Darkweb Intielligence & Continuous ity Scian Seciurity iNews i i Monitoring Continuous iPentest Threait Reports Vulnerable Asset Customizedi iAlarm & Notification APiT iMITRE ATT&CK,i a Intelligence Customer API nd Giraph iThrieat Feeds Real-time Dashboards Integration Threat Feed/IOCs Integration Digital Asset Detiec Vulnerability Critical Data Breach tioni & Continuous Monitoring Intelligence Monitoring Vulinerablei Asise AI/ML-based Thireat Intelligence Reputation Tracking t Intielligencei Threait Hunting VIP Protection Real-time Diashboards Threat Activity Alerts i i ThreatMoni Asseti Riisk Scoring Customer API Inte Siocial iMedia Monitioring Mobiile Applicatiiion gration Seciurity iPosture iCard


-----

###### “See Beyond the Surface”


###### Advanced Threat Intelligence Platform


###### With External Attack Surface Management
 and Digital Risk Protection


###### 30 Days of Free Trial


###### @ThreatMon @ThreatMon @MonThreat @threatmon


-----