Capibar

Malware updated 5 months ago (2024-05-04T19:10:37.517Z)
Download STIX
Preview STIX
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capibar alongside other tools such as Kazuar, Snake, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack, and TinyTurla. The Ukrainian Computer Emergency Response Team (CERT-UA) reported in July 2023 that Turla was using Capibar and Kazuar for espionage attacks on Ukrainian defense assets. Notably, Capibar is unique in its ability to transform Microsoft Exchange servers into command and control servers. In these targeted attacks, Capibar serves as a first-stage backdoor, while other tools like Kazuar are used for additional stages of the attack. The multi-staged delivery mechanism of Kazuar, along with other tools such as Capibar, was unveiled by a recent campaign reported by CERT-UA. In this specific campaign, Capibar was primarily used for intelligence gathering, while Kazuar performed credential theft. The scheduled task downloads the Capibar malware for the deployment of malicious payloads and execution of received commands. Both Microsoft Threat Intelligence and CERT-UA have issued warnings about Turla's recent attacks targeting the defense industry and Microsoft Exchange servers using Capibar, also known as DeliveryCheck and Gameday. Alerts for prevention and detection have been raised for each malware type, including Capibar and Kazuar. It is essential to remain vigilant against these threats, which can infiltrate systems through suspicious downloads, emails, or websites, potentially leading to significant data loss, operational disruption, or personal information theft.
Description last updated: 2024-05-04T17:08:12.303Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Kazuar is a possible alias for Capibar. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and
5
Deliverycheck is a possible alias for Capibar. DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-00
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Scheduled Task
Espionage
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Capibar. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
3
Source Document References
Information about the Capibar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more