Russia-linked backdoor targets Eastern European networks

Cybersecurity researchers have detailed the operation of little-known Russian backdoor malware that has been used in attacks against victims in Eastern Europe since at least mid-2022.

The malware, labeled Kapeka, is likely linked to the hacker group Sandworm, operated by the Russian military intelligence service (GRU), according to Finnish cybersecurity company WithSecure. 

The company said in a report shared with Recorded Future News that the backdoor is likely an update to Sandworm’s arsenal for use in espionage campaigns and sabotage operations. Code like Kapeka is built to give hackers network access to deploy other malware.

The researchers also discovered overlaps between Kapeka and Sandworm’s other malicious tools.

For example, Kapeka was likely used in intrusions that led to the deployment of the Prestige ransomware in late 2022. According to previous reports, Sandworm-affiliated hackers deployed Prestige in a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland.

It is possible, the researchers said, that Kapeka is a successor to Sandworm’s GreyEnergy malware, which itself was likely a replacement for the famous BlackEnergy strain used to insert malicious code into the Ukrainian power grid in 2015.

WithSecure said it found traces of Kapeka in mid-2023 while analyzing an attack on an Estonian logistics company that happened in late 2022.

Two additional samples of the backdoor were submitted to the VirusTotal repository, from Ukraine, in mid-2022 and mid-2023. The WithSecure researchers said they have “moderate confidence” that the submitters were victims of the malware infection.

Earlier this February, Microsoft discovered a backdoor with similar characteristics to Kapeka and named it KnuckleTouch. That report said the malware has been used since at least early to mid-2022 by Sandworm. WithSecure confirmed to Recorded Future News that KnuckleTouch and Kapeka are the same backdoor. 

Kapeka’s capabilities

According to the WithSecure report, Kapeka can serve as an early-stage toolkit for its operators and also provide long-term access to the targeted system.

Once deployed, the backdoor collects information about the infected machine and its user. It can also perform a list of tasks such as reading files from disks that are below 50 megabytes and sending this information back to hackers.

The malware can also launch payloads, execute shell commands, and upgrade its own functionality, potentially allowing the threat actor to first infect victims with a skeleton version of the backdoor and only drop a more complete version if the victim is deemed an appropriate target, researchers said.

Kapeka’s development and deployment possibly follow the ongoing war in Ukraine, according to the report. The backdoor was likely used in destructive attacks, including ransomware campaigns, against companies across Central and Eastern Europe.

The scarce mention of Kapeka in other research indicates that the malware has been used in limited-scope attacks since at least mid-2022, researchers said.

It's possible the group has a particular interest in targeting transportation and logistics companies. WithSecure initially discovered the backdoor in the networks of the company in Estonia, and the researchers also connected it to Prestige ransomware-style attacks on the logistics industry in Poland and Ukraine.

However, “due to the sparsity of data at the time of writing the infection vector, the threat actor, and the actor’s “actions on objectives” cannot be conclusively stated,” researchers said.

“It remains to be seen whether the developers and operators of Kapeka will evolve with newer versions of the tool or develop and use a new toolkit with threads of similarity to Kapeka, like those found between Kapeka and GreyEnergy, as well as GreyEnergy and BlackEnergy,” researchers said."