-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR #4831 from @swachchhanda000 - Add Kapeka backdoor related Si…
…gma rules new: Kapeka Backdoor Autorun Persistence new: Kapeka Backdoor Configuration Persistence new: Kapeka Backdoor Execution Via RunDLL32.EXE new: Kapeka Backdoor Loaded Via Rundll32.EXE new: Kapeka Backdoor Persistence Activity new: Kapeka Backdoor Scheduled Task Creation new: Potential Kapeka Decrypted Backdoor Indicator --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
- Loading branch information
1 parent
0511e57
commit 0bb6f0c
Showing
9 changed files
with
270 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Kapeka backdoor | ||
|
||
Kapeka has been used in assaults against people in Eastern Europe since at least the middle of 2022. Microsoft originally identified the [Kapeka backdoor](https://www.securityweek.com/kapeka-a-new-backdoor-in-sandworms-arsenal-of-aggression/). In a brief explanation released on February 14, 2024, Microsoft referred to this new backdoor as "KnuckleTouch" and linked it to a threat actor organization known as SeaShell Blizzard, which is also the name of the notorious Sandworm gang. | ||
|
||
However, it is the security firm [WithSecure](https://labs.withsecure.com/publications/kapeka) that has conducted an in-depth analysis of Kapeka. WithSecure believes that KnuckleTouch is indeed the same as Kapeka. Their assessment suggests that Kapeka is a tool used by an APT (Advanced Persistent Threat) group. | ||
|
||
Despite limited public knowledge about Kapeka, WithSecure has identified its use in specific incidents, particularly in regions like Estonia and Ukraine. Kapeka’s stealth mechanisms allow it to maintain persistence and evade detection. If successfully delivered, it can serve as a powerful tool for long-term cyberespionage. | ||
|
||
## Rules | ||
|
||
- [Potential Kapeka Decrypted Backdoor Indicator](./file_event_win_malware_kapeka_backdoor_indicators.yml) | ||
- [Kapeka Backdoor Loaded Via Rundll32.EXE](./image_load_malware_kapeka_backdoor_wll.yml) | ||
- [Kapeka Backdoor Persistence Activity](./proc_creation_win_malware_kapeka_backdoor_persistence.yml) | ||
- [Kapeka Backdoor Execution Via RunDLL32.EXE](./proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml) | ||
- [Kapeka Backdoor Autorun Persistence](./registry_set_malware_kapeka_backdoor_autorun_persistence.yml) | ||
- [Kapeka Backdoor Configuration Persistence](./registry_set_malware_kapeka_backdoor_configuration.yml) | ||
- [Kapeka Backdoor Scheduled Task Creation](./win_security_malware_kapeka_backdoor_scheduled_task_creation.yml) |
30 changes: 30 additions & 0 deletions
30
...merging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: Potential Kapeka Decrypted Backdoor Indicator | ||
id: 20228d05-dd68-435d-8b4e-e7e64938880c | ||
status: experimental | ||
description: | | ||
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. | ||
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/07/03 | ||
tags: | ||
- attack.defense_evasion | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
selection_generic: | ||
TargetFilename|contains: | ||
- ':\ProgramData\' | ||
- '\AppData\Local\' | ||
TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll' | ||
selection_specific: | ||
TargetFilename|endswith: | ||
- '\win32log.exe' | ||
- '\crdss.exe' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
30 changes: 30 additions & 0 deletions
30
rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: Kapeka Backdoor Loaded Via Rundll32.EXE | ||
id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c | ||
status: experimental | ||
description: | | ||
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. | ||
The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.execution | ||
- attack.t1204.002 | ||
- attack.defense_evasion | ||
- attack.t1218.011 | ||
logsource: | ||
category: image_load | ||
product: windows | ||
detection: | ||
selection: | ||
Image|endswith: '\rundll32.exe' | ||
ImageLoaded|contains: | ||
- ':\ProgramData' | ||
- '\AppData\Local\' | ||
ImageLoaded|re: '[a-zA-Z]{5,6}\.wll' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: high |
48 changes: 48 additions & 0 deletions
48
...ing-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
title: Kapeka Backdoor Persistence Activity | ||
id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
status: experimental | ||
description: | | ||
Detects Kapeka backdoor persistence activity. | ||
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). | ||
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. | ||
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. | ||
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.t1053.005 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_schtasks_img: | ||
- Image|endswith: '\schtasks.exe' | ||
- OriginalFileName: 'schtasks.exe' | ||
selection_schtasks_flags: | ||
CommandLine|contains|all: | ||
- 'create' | ||
- 'ONSTART' | ||
selection_reg_img: | ||
- Image|endswith: '\reg.exe' | ||
- OriginalFileName: 'reg.exe' | ||
selection_reg_flags: | ||
CommandLine|contains|all: | ||
- 'add' | ||
- '\Software\Microsoft\Windows\CurrentVersion\Run' | ||
selection_backdoor_command: | ||
CommandLine|contains|all: | ||
- 'rundll32' | ||
- '.wll' | ||
- '#1' | ||
CommandLine|contains: | ||
- 'Sens Api' | ||
- 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases | ||
condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command | ||
falsepositives: | ||
- Unlikely | ||
level: high |
37 changes: 37 additions & 0 deletions
37
...eats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: Kapeka Backdoor Execution Via RunDLL32.EXE | ||
id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12 | ||
status: experimental | ||
description: | | ||
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/07/03 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1218.011 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_img: | ||
- Image|endswith: '\rundll32.exe' | ||
- OriginalFileName: 'RUNDLL32.EXE' | ||
selection_backdoor_path: | ||
CommandLine|contains: | ||
- ':\ProgramData' | ||
- '\AppData\Local' | ||
selection_backdoor_exec_1: | ||
CommandLine|contains|all: | ||
- '.wll' | ||
- '#1' | ||
- ' -d' | ||
selection_backdoor_exec_2: | ||
# This account for the in the wild variant | ||
CommandLine|contains: '.wll' | ||
CommandLine|endswith: '#1' | ||
condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
32 changes: 32 additions & 0 deletions
32
...-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: Kapeka Backdoor Autorun Persistence | ||
id: c0c67b21-eb8a-4c84-a395-40473ec3b482 | ||
related: | ||
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
type: similar | ||
status: experimental | ||
description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.t1547.001 | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
selection_base: | ||
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' | ||
TargetObject|endswith: | ||
- '\Sens Api' | ||
- '\OneDrive' | ||
Details|contains|all: | ||
- ':\WINDOWS\system32\rundll32.exe' | ||
- '.wll' | ||
- '#1' | ||
condition: all of selection_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
28 changes: 28 additions & 0 deletions
28
...erging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
title: Kapeka Backdoor Configuration Persistence | ||
id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd | ||
status: experimental | ||
description: | | ||
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. | ||
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.defense_evasion | ||
- attack.t1553.003 | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
selection: | ||
TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{' | ||
TargetObject|endswith: '\Seed' | ||
filter_main_empty: | ||
Details|contains: '(Empty)' | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Unknown | ||
level: medium |
43 changes: 43 additions & 0 deletions
43
...eats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
title: Kapeka Backdoor Scheduled Task Creation | ||
id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a | ||
related: | ||
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
type: similar | ||
status: experimental | ||
description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc. | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.execution | ||
- attack.privilege_escalation | ||
- attack.persistence | ||
- attack.t1053.005 | ||
logsource: | ||
product: windows | ||
service: security | ||
definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.' | ||
detection: | ||
selection_eid: | ||
EventID: 4698 | ||
selection_paths: | ||
TaskContent|contains: | ||
- ':\ProgramData\' | ||
- '\AppData\Local\' | ||
selection_command: | ||
TaskContent|contains|all: | ||
- 'rundll32' | ||
- '.wll' | ||
- '#1' | ||
selection_taskname: | ||
TaskContent|contains: | ||
- 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases | ||
- 'Sens Api' | ||
condition: all of selection_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters