Potential Kapeka Decrypted Backdoor Indicator

calendar Jan 30, 2025 · attack.defense-evasion detection.emerging-threats  ·
Share on: linkedin copy

Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.

Sigma rule (View on GitHub)

 1title: Potential Kapeka Decrypted Backdoor Indicator
 2id: 20228d05-dd68-435d-8b4e-e7e64938880c
 3status: experimental
 4description: |
 5    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
 6    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
11date: 2024-07-03
12tags:
13    - attack.defense-evasion
14    - detection.emerging-threats
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection_generic:
20        TargetFilename|contains:
21            - ':\ProgramData\'
22            - '\AppData\Local\'
23        TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
24    selection_specific:
25        TargetFilename|endswith:
26            - '\win32log.exe'
27            - '\crdss.exe'
28    condition: 1 of selection_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top