Kapeka: Novel malware from Russia?
Reports of a new type of "Kapeka" malware are popping up everywhere. However, it is not new at all and has not been active for almost a year.
The search returns spam, malware and scams.
(Bild: Image created with AI in Bing Designer by heise online / dmk)
"New Russian cyber weapon", "New Windows backdoor via Word add-in" and similar headlines in various media are currently picking up on an announcement by security company WithSecure. It is about a malware called Kapeka, which Microsoft runs under the name KnuckleTouch and renders harmless with its own Defender malware scanner.
WithSecure identifies the malware as originating from the Russian intelligence service GRU-backed cyber group Sandworm, which has frequently carried out cyber attacks in the past, particularly against organizations in Ukraine. WithSecure explains in the statement that the malware has been used against victims in Eastern Europe since mid-2022, i.e. two years ago. The company concludes with "WithSecure last observed Kapeka activity in May 2023".
WithSecure: publicity stunt
WithSecure describes the malware as follows: "Kapeka is a flexible backdoor with multiple functions. It not only serves hackers as a toolkit for the initial phase of the attack, but also grants long-term access to the victim's data. Analysis of the malware, its infrequent appearance and its level of stealth and sophistication point to APT-level activity, typically state-sponsored hacking."
As the analysis on VirusTotal shows, many current malware scanners currently detect the Kapeka backdoor as malware – so users and admins should make sure their detection programs are up to date.
The bottom line is that this malware does not appear to function particularly differently from previously observed malware. It has also not been active for around a year. The attribution to Russian actors does not seem unlikely, but is merely based on a comparison of the Kapeka malware with the "Grey Energy" toolkit of the Sandworm group.
However, to interpret the discovery of the malware as a "major blow against Russia", as a WithSecure spokesperson was quoted as saying by the press agency dpa, seems like a PR maneuver. After all, Kapeka has not been spotted in the wild since the middle of last year, even without the intervention of malware hunters.
Transparency note: We originally decided against publishing a report on heise online. As there is no current threat from Kapeka, there is no reason to do so. However, due to the great media attention, a classification now seemed appropriate.
(dmk)