Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Sigma rule (View on GitHub)
1title: Kapeka Backdoor Persistence Activity
2id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
3status: test
4description: |
5 Detects Kapeka backdoor persistence activity.
6 Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
7 For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
8 To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
9 Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
10references:
11 - https://labs.withsecure.com/publications/kapeka
12 - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
13 - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
14author: Swachchhanda Shrawan Poudel
15date: 2024-07-03
16tags:
17 - attack.privilege-escalation
18 - attack.execution
19 - attack.persistence
20 - attack.t1053.005
21 - detection.emerging-threats
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_schtasks_img:
27 - Image|endswith: '\schtasks.exe'
28 - OriginalFileName: 'schtasks.exe'
29 selection_schtasks_flags:
30 CommandLine|contains|all:
31 - 'create'
32 - 'ONSTART'
33 selection_reg_img:
34 - Image|endswith: '\reg.exe'
35 - OriginalFileName: 'reg.exe'
36 selection_reg_flags:
37 CommandLine|contains|all:
38 - 'add'
39 - '\Software\Microsoft\Windows\CurrentVersion\Run'
40 selection_backdoor_command:
41 CommandLine|contains|all:
42 - 'rundll32'
43 - '.wll'
44 - '#1'
45 CommandLine|contains:
46 - 'Sens Api'
47 - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
48 condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
49falsepositives:
50 - Unlikely
51level: high
References
-
This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Related rules
- ChromeLoader Malware Execution
- Defrag Deactivation
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security