Kapeka Backdoor Autorun Persistence

Aug 12, 2024 · attack.persistence attack.t1547.001 ·

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Autorun Persistence
 2id: c0c67b21-eb8a-4c84-a395-40473ec3b482
 3related:
 4    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
 5      type: similar
 6status: experimental
 7description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
 8references:
 9    - https://labs.withsecure.com/publications/kapeka
10    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
11author: Swachchhanda Shrawan Poudel
12date: 2024-07-03
13tags:
14    - attack.persistence
15    - attack.t1547.001
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
22        TargetObject|endswith:
23            - '\Sens Api'
24            - '\OneDrive'
25        Details|contains|all:
26            - ':\WINDOWS\system32\rundll32.exe'
27            - '.wll'
28            - '#1'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Kapeka: A novel backdoor spotted in Eastern Europe

This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping

Read More
Analysis bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f (MD5: 50B5582904FE34451F5CB2362E11CB24) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Kapeka Backdoor Autorun Persistence

Sigma rule (View on GitHub)

References

Kapeka: A novel backdoor spotted in Eastern Europe

Analysis bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f (MD5: 50B5582904FE34451F5CB2362E11CB24) Malicious activity - Interactive analysis ANY.RUN

Related rules