Kapeka Backdoor Execution Via RunDLL32.EXE

 1title: Kapeka Backdoor Execution Via RunDLL32.EXE
 2id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
 3status: experimental
 4description: |
 5        Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
 6references:
 7    - https://labs.withsecure.com/publications/kapeka
 8    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
 9author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
10date: 2024-07-03
11tags:
12    - attack.defense-evasion
13    - attack.t1218.011
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\rundll32.exe'
21        - OriginalFileName: 'RUNDLL32.EXE'
22    selection_backdoor_path:
23        CommandLine|contains:
24            - ':\ProgramData'
25            - '\AppData\Local'
26    selection_backdoor_exec_1:
27        CommandLine|contains|all:
28            - '.wll'
29            - '#1'
30            - ' -d'
31    selection_backdoor_exec_2:
32        # This account for the in the wild variant
33        CommandLine|contains: '.wll'
34        CommandLine|endswith: '#1'
35    condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*
36falsepositives:
37    - Unknown
38level: high

References

• Kapeka: A novel backdoor spotted in Eastern Europe

  

  This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping

  
  Read More

• Analysis bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f (MD5: 50B5582904FE34451F5CB2362E11CB24) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• Kapeka Backdoor Loaded Via Rundll32.EXE
• Potential Raspberry Robin CPL Execution Activity
• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• Equation Group DLL_U Export Function Load