Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Sigma rule (View on GitHub)
1title: Kapeka Backdoor Persistence Activity
2id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
3status: experimental
4description: |
5 Detects Kapeka backdoor persistence activity.
6 Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
7 For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
8 To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
9 Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
10references:
11 - https://labs.withsecure.com/publications/kapeka
12 - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
13 - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
14author: Swachchhanda Shrawan Poudel
15date: 2024-07-03
16tags:
17 - attack.persistence
18 - attack.t1053.005
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_schtasks_img:
24 - Image|endswith: '\schtasks.exe'
25 - OriginalFileName: 'schtasks.exe'
26 selection_schtasks_flags:
27 CommandLine|contains|all:
28 - 'create'
29 - 'ONSTART'
30 selection_reg_img:
31 - Image|endswith: '\reg.exe'
32 - OriginalFileName: 'reg.exe'
33 selection_reg_flags:
34 CommandLine|contains|all:
35 - 'add'
36 - '\Software\Microsoft\Windows\CurrentVersion\Run'
37 selection_backdoor_command:
38 CommandLine|contains|all:
39 - 'rundll32'
40 - '.wll'
41 - '#1'
42 CommandLine|contains:
43 - 'Sens Api'
44 - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
45 condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
46falsepositives:
47 - Unlikely
48level: high
References
-
This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Related rules
- Defrag Deactivation
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Important Scheduled Task Deleted/Disabled
- Kapeka Backdoor Scheduled Task Creation
- OilRig APT Activity