This is a simulation of attack by (Voodoo Bear) APT44 group targeting entities in Eastern Europe the attack campaign was active as early as mid-2022, The attack chain starts with backdoor which is a DLL targets both 32-bit and 64-bit Windows environments, It gathers information and fingerprints the user and the machine then sends the information to the attackers-controlled C2, The backdoor uses a multi-threaded approach, and leverages event objects for data synchronization and signaling across threads. I relied on withsecure tofigure out the details to make this simulation: https://labs.withsecure.com/publications/kapeka
Kapeka, which means “little stork” in Russian, is a flexible backdoor written in C++. It allows the threat actors to use it as an early stage toolkit, while also providing long term persistence to the victim network. Kapeka’s dropper is a 32-bit Windows executable that drops and launches the backdoor on a victim machine. The dropper also sets up persistence by creating a scheduled task or autorun registry. Finally, the dropper removes itself from the system. If you need to know more about Kapeka backdoor for Voodoo Bear APT group: https://blog.polyswarm.io/voodoo-bears-kapeka-backdoor-targets-critical-infrastructure
-
RSA C2-Server: I developed C2 server script enable to make remote communication by utilizes RSA encryption for secure data transmission between the attacker server and the target.
-
Testing payload : I used payload written by Python only to test C2 (testing payload.py), if there were any problems with the connection (just for test connection) before writing the actual payload.
-
DLL backdoor: I have developed a simulation of the kapeka backdoor that the attackers used in the actual attack.
This PHP C2 server script enable to make remote communication by utilizes RSA encryption for secure data transmission between the attacker server and the target.
rsa_encrypt($data, $public_key):
Purpose: Encrypts data using the RSA public key. Process: The function takes the data and the public key as input, then uses openssl_public_encrypt to encrypt the data with the provided public key. Output: Returns the encrypted data.
rsa_decrypt($data, $private_key):
Purpose: Decrypts data using the RSA private key. Process: The function takes the encrypted data and the private key as input, then uses openssl_private_decrypt to decrypt the data with the provided private key. Output: Returns the decrypted data.
I used payload written by Python only to test C2 (testing payload.py), if there were any problems with the connection (just for test connection) before writing the actual payload.
RSA and PKCS1_OAEP from pycryptodome: For encryption and decryption using RSA.
rsa_encrypt(data, public_key): Encrypts data using the provided public key.
rsa_decrypt(data, private_key): Decrypts data using the provided private key (not used in this script).
Note: Ensure that the server is correctly sending RSA-encrypted commands and handling the responses appropriately. The script requires the pycryptodome library for RSA encryption and decryption:
pip install pycryptodome
The Kapeka backdoor is a Windows DLL containing one function which has been exported by ordinal2 (rather than by name). The backdoor is written in C++ and compiled (linker 14.16) using Visual Studio 2017 (15.9). The backdoor file masquerades as a Microsoft Word Add-In with its extension (.wll), but in reality it is a DLL file.
I have developed a simulation of the kapeka backdoor that the attackers used in the actual attack.
In total, the backdoor launches four main threads:
• First thread: This is the primary thread which performs the initialization and exit routine, as well as C2 polling to receive tasks or an updated C2 configuration.
• Second thread: Monitors for Windows log off events, signaling the primary thread to perform the backdoor’s graceful exit routine upon log off.
• Third thread: Monitors for incoming tasks to be processed. This thread launches subsequent threads to execute each received task.
• Fourth thread: Monitors for completion of tasks to send back the processed task results to the C2.
manual compile:x86_64-w64-mingw32-g++ -shared -o kapeka_backdoor.dll kapeka_backdoor.cpp -lws2_32
Run the DLL:rundll32.exe kapeka_backdoor.dll,ExportedFunction -d