Potential Kapeka Decrypted Backdoor Indicator

Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.

Sigma rule (View on GitHub)

 1title: Potential Kapeka Decrypted Backdoor Indicator
 2id: 20228d05-dd68-435d-8b4e-e7e64938880c
 3status: experimental
 4description: |
 5    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
 6    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
11date: 2024/07/03
12tags:
13    - attack.defense_evasion
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection_generic:
19        TargetFilename|contains:
20            - ':\ProgramData\'
21            - '\AppData\Local\'
22        TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
23    selection_specific:
24        TargetFilename|endswith:
25            - '\win32log.exe'
26            - '\crdss.exe'
27    condition: 1 of selection_*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top