Kapeka

Malware updated 3 months ago (2024-08-14T09:22:31.288Z)

Download STIX

Preview STIX

Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. Kapeka is a DLL file with a masqueraded extension to make it appear legitimate, and it contains a dropper that will launch a backdoor on a victim’s machine and then remove itself. There are several similarities and differences between Kapeka and other known malwares such as GreyEnergy. For instance, while GreyEnergy utilizes Windows Management Instrumentation (WMI) to fingerprint victims, Kapeka uses Windows API and registry. In terms of persistence, Kapeka maintains its command and control (C2) configuration via the registry, whereas GreyEnergy does so via an on-disk file. The developers and operators of Kapeka may evolve the tool with newer versions or develop a new toolkit with threads of similarity to Kapeka, such as conceptual overlaps or code re-use, like those found between Kapeka and GreyEnergy. This suggests that Kapeka could be used in future attacks with similar strategies as seen in previous GreyEnergy and Prestige ransomware attacks. Thus, organizations need to stay vigilant and maintain robust cybersecurity measures to counter this threat.

Description last updated: 2024-08-14T08:47:35.379Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Prestige is a possible alias for Kapeka. Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belie	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Windows

Dropper

Vulnerability

Apt

Ukraine

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The BlackEnergy Malware is associated with Kapeka. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a	is related to	4
The GreyEnergy Malware is associated with Kapeka. GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps	is related to	4
The Prestige Ransomware Malware is associated with Kapeka. In October 2022, a new strain of ransomware known as Prestige was reported by Microsoft. This malware had not been observed by Microsoft prior to its deployment and was found targeting transportation and logistics organizations in Ukraine and Poland. Prestige ransomware infects systems through suspi	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sandworm Threat Actor is associated with Kapeka. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	is related to	4

Source Document References

Information about the Kapeka Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
InfoSecurity-magazine	7 months ago	Russian Sandworm Group Using Novel Backdoor to Target Ukraine and Allies
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	7 months ago	Ukrainian Energy Sector Under Cyber Siege by Russian Hackers
Securityaffairs	7 months ago	Security Affairs newsletter Round 468 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	7 months ago	Breach Roundup: LabHost Phishing-as-a-Service Site Goes Down
BankInfoSecurity	7 months ago	Breach Roundup: LabHost Goes Down
Securityaffairs	7 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
DARKReading	7 months ago	Dangerous New ICS Malware Targets Orgs in Russia and Ukraine
BankInfoSecurity	7 months ago	Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'