Kapeka Backdoor Loaded Via Rundll32.EXE

    Tuesday, December 31, 2024 In: Threat Research Print

    Date: 12/31/2024

    Severity: High 

    Summary

    Identifies the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader deploys a backdoor disguised as a Microsoft Word Add-In, using a DLL file with a '.wll' extension.

    Indicators of Compromise (IOC) List

    Image : 

    '\rundll32.exe'

    ImageLoaded : 

    - ':\ProgramData'

    - '\AppData\Local\'

    - '[a-zA-Z]{5,6}\.wll'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    (resourcename = "Sysmon"  AND eventtype = "7"  ) AND image like "\rundll32.exe"  AND (imageloaded like ":\ProgramData" and imageloaded like "\AppData\Local"  and imageloaded like "[a-zA-Z]{5,6}\.wll" )

    Detection Query 2 : 

    (technologygroup = "EDR" ) AND image like "\rundll32.exe"  AND (imageloaded like ":\ProgramData" and imageloaded like "\AppData\Local"  and imageloaded like "[a-zA-Z]{5,6}\.wll" )

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml 


    Tags

    MalwareSigmaKapekaBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.