Kapeka

Malware updated 23 days ago (2024-11-29T13:34:42.745Z)
Download STIX
Preview STIX
Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. Kapeka is a DLL file with a masqueraded extension to make it appear legitimate, and it contains a dropper that will launch a backdoor on a victim’s machine and then remove itself. There are several similarities and differences between Kapeka and other known malwares such as GreyEnergy. For instance, while GreyEnergy utilizes Windows Management Instrumentation (WMI) to fingerprint victims, Kapeka uses Windows API and registry. In terms of persistence, Kapeka maintains its command and control (C2) configuration via the registry, whereas GreyEnergy does so via an on-disk file. The developers and operators of Kapeka may evolve the tool with newer versions or develop a new toolkit with threads of similarity to Kapeka, such as conceptual overlaps or code re-use, like those found between Kapeka and GreyEnergy. This suggests that Kapeka could be used in future attacks with similar strategies as seen in previous GreyEnergy and Prestige ransomware attacks. Thus, organizations need to stay vigilant and maintain robust cybersecurity measures to counter this threat.
Description last updated: 2024-08-14T08:47:35.379Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Prestige is a possible alias for Kapeka. Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belie
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Windows
Dropper
Vulnerability
Apt
Ukraine
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The BlackEnergy Malware is associated with Kapeka. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks ais related to
4
The GreyEnergy Malware is associated with Kapeka. GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlapsis related to
4
The Prestige Ransomware Malware is associated with Kapeka. In October 2022, a new strain of ransomware known as Prestige was reported by Microsoft. This malware had not been observed by Microsoft prior to its deployment and was found targeting transportation and logistics organizations in Ukraine and Poland. Prestige ransomware infects systems through suspiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Kapeka. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cis related to
4
Source Document References
Information about the Kapeka Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
8 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
BankInfoSecurity
8 months ago
Securityaffairs
8 months ago
BankInfoSecurity
8 months ago
BankInfoSecurity
8 months ago
Securityaffairs
8 months ago
DARKReading
8 months ago
BankInfoSecurity
8 months ago