Kapeka Backdoor Loaded Via Rundll32.EXE

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Loaded Via Rundll32.EXE
 2id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
 3status: experimental
 4description: |
 5    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
 6    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel
11date: 2024/07/03
12tags:
13    - attack.execution
14    - attack.t1204.002
15    - attack.defense_evasion
16    - attack.t1218.011
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\rundll32.exe'
23        ImageLoaded|contains:
24            - ':\ProgramData'
25            - '\AppData\Local\'
26        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top