Kapeka Backdoor Loaded Via Rundll32.EXE

calendar Jan 30, 2025 · attack.execution attack.t1204.002 attack.defense-evasion attack.t1218.011 detection.emerging-threats  ·
Share on: linkedin copy

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Loaded Via Rundll32.EXE
 2id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
 3status: experimental
 4description: |
 5    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
 6    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel
11date: 2024-07-03
12tags:
13    - attack.execution
14    - attack.t1204.002
15    - attack.defense-evasion
16    - attack.t1218.011
17    - detection.emerging-threats
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\rundll32.exe'
24        ImageLoaded|contains:
25            - ':\ProgramData'
26            - '\AppData\Local\'
27        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high
yaml

References

Related rules

to-top