Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Kapeka

Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.(Citation: WithSecure Kapeka 2024)(Citation: Microsoft KnuckleTouch 2024)
ID: S1190
Associated Software: KnuckleTouch
Type: MALWARE
Platforms: Windows
Created: 06 Jan 2025
Last Modified: 11 Mar 2025

Associated Software Descriptions

Name Description
KnuckleTouch (Citation: Microsoft KnuckleTouch 2024)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Kapeka utilizes HTTP for command and control.(Citation: WithSecure Kapeka 2024)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Kapeka allows for arbitrary Windows command execution.(Citation: WithSecure Kapeka 2024)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Kapeka utilizes JSON objects to send and receive information from command and control nodes.(Citation: WithSecure Kapeka 2024)

Enterprise T1070 .009 Indicator Removal: Clear Persistence

Kapeka will clear registry values used for persistent configuration storage when uninstalled.(Citation: WithSecure Kapeka 2024)

Enterprise T1036 .008 Masquerading: Masquerade File Type

Kapeka masquerades as a Microsoft Word Add-In file, with the extension `.wll`, but is a malicious DLL file.(Citation: Microsoft KnuckleTouch 2024)(Citation: WithSecure Kapeka 2024)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.(Citation: WithSecure Kapeka 2024)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Kapeka persists via scheduled tasks.(Citation: Microsoft KnuckleTouch 2024)(Citation: WithSecure Kapeka 2024)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Kapeka is a Windows DLL file executed via ordinal by `rundll32.exe`.(Citation: Microsoft KnuckleTouch 2024)(Citation: WithSecure Kapeka 2024)

Groups That Use This Software

ID Name References
G0034 Sandworm Team

(Citation: Microsoft KnuckleTouch 2024) (Citation: WithSecure Kapeka 2024)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.