Insights, news, education and announcements from PolySwarm

VooDoo Bear's Kapeka Backdoor Targets Critical Infrastructure

Written by The Hivemind | Apr 26, 2024 6:28:37 PM

Related Families: GreyEnergy, Prestige
Verticals Targeted: Critical Infrastructure

Executive Summary

Kapeka, also known as KnuckleTouch, is a novel backdoor used by VooDoo Bear to target entities in Eastern Europe.

Key Takeaways

  • Kapeka, also known as KnuckleTouch, is a novel backdoor used by VooDoo Bear to target entities in Eastern Europe.
  • Kapeka is a flexible backdoor written in C++. 
  • Kapeka allows the threat actors to use it as an early stage toolkit, while also providing long term persistence to the victim network. 
  • Kapeka was likely created to target the opposition in the ongoing Russia-Ukraine conflict.
  • Kapeka is likely a successor to GreyEnergy.
  • VooDoo Bear is a Russia nexus threat actor group thought to be affiliated with GRU Unit 74455.

What is Kapeka?

Kapeka, also known as KnuckleTouch, is a novel backdoor used by VooDoo Bear to target entities in Eastern Europe. Kapeka was active as early as mid-2022 and was used in a limited number of presumably targeted attacks. WithSecure recently reported on Kapeka. 

Kapeka, which means “little stork” in Russian,  is a flexible backdoor written in C++. It allows the threat actors to use it as an early stage toolkit, while also providing long term persistence to the victim network. Kapeka’s dropper is a 32-bit Windows executable that drops and launches the backdoor on a victim machine. The dropper also sets up persistence by creating a scheduled task or autorun registry. Finally, the dropper removes itself from the system. 

The backdoor, which is a DLL, targets both 32-bit and 64-bit Windows environments. It gathers information and fingerprints the user and the machine, then sends the information to the threat actor-controlled C2. The backdoor uses a multi-threaded approach, and leverages event objects for data synchronization and signaling across threads.

WithSecure noted overlaps between Kapeka and other tools in VooDoo Bear’s arsenal, including GreyEnergy and Prestige ransomware. Kapeka was likely created to target the opposition in the ongoing Russia-Ukraine conflict. It is possible Kapeka was used to deploy Prestige ransomware. WithSecure also noted Kapeka is likely a successor to GreyEnergy, which was the successor to BlackEnergy. 

Who is VooDoo Bear?

VooDoo Bear, also known as Sandworm, BlackEnergy, Seashell Blizzard, Quedagh, Telebots, and Iron Viking, is a Russia nexus threat actor group active since at least 2011. The group is thought to be affiliated with GRU Unit 74455. VooDoo Bear has a history of attacks targeting ICS and critical infrastructure systems. They were allegedly responsible for the 2015 and 2016 cyberattacks on the Ukrainian power grid, the 2017 NotPetya attacks, and Cyclops Blink.

VooDoo Bear TTPs include but are not limited to phishing, password spraying, masquerading as other threat actors, credential dumping, defacement, wipers, BlackEnergy, GreyEnergy, GCat, NotPetya, VPNFilter, CHEMISTGAMES, Exaramel, Olympic Destroyer, PassKillDisk, Cyclops Blink, CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED, Industroyer, Industroyer2, Prestige ransomware, and AcidPour. 

IOCs

PolySwarm has multiple samples of Kapeka.

 

bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f

272cfaebf22e0f6a34c0a93b7c9c5b67c725947ba0f17e60ed67dbf6e1602043

f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a

 

You can use the following CLI command to search for all Kapeka samples in our portal:

$ polyswarm link list -f Kapeka

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.