SIGS:Kapeka/ICYWELL Backdoor APT44/Sandworm Part 1

kevross33 · April 18, 2024, 10:33am

Hi,

Sigs for Kapeka backdoor (what Mandiant refer to as ICYWELL). The responses will be over HTTPS only too so would require decryption to be useful. Splitting the sigs across two posts as can only do 8 links in a post apparantly.

alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Execute Command Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Execute command|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167111; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Read From File Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Read from file|22|,”; content:“|3A| |22|C|3A|//”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167112; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Write To File Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Write to file|22|,”; content:“|3A| |22|C|3A|//”; distance:0; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167113; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“ET TROJAN Kapeka/ICYWELL Backdoor APT44/Sandworm Uninstall Backdoor Server Response”; flow:established,to_client; file_data; content:“|3A| |22|Uninstall backdoor|22|,”; classtype:trojan-activity; reference:url,labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf; reference:url,services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf; sid:167114; rev:1;)

jtaylor · April 18, 2024, 6:15pm

Thanks Kevin! Will take a look at getting these in for todays release

JT

jtaylor · April 19, 2024, 9:29pm

Took me a little longer to go through all that than I expected. The following sigs went out today, thanks again Kevin!

2052172 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (execute command)
2052173 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (read from file)
2052174 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (write to file)
2052175 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (uninstall)
2052176 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (launch process)
2052177 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (launch payload)
2052178 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (execute shell command)
2052179 - ET MALWARE Suspected Kapeka/ICYWELL Backdoor Server Response (upgrade backdoor)

Topic		Replies	Views
SIGS: Kapeka/ICYWELL Backdoor APT44/Sandworm Part 2 Rule Signatures	1	136	April 18, 2024
New Sig: ET TROJAN W32/Kazuar.Backdoor Turla APT Hardcoded Cookie Rule Signatures	1	359	November 20, 2023
SIG: ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/SANDWORM Data Exfiltration Rule Signatures	2	348	September 1, 2023
Ruleset Update Summary - 2024/04/19 - v10579 Ruleset Updates	0	227	April 19, 2024
NEW SIG: ET TROJAN Falsefont.Backdoor APT33 Initial Handshake Rule Signatures	1	212	March 22, 2024

SIGS:Kapeka/ICYWELL Backdoor APT44/Sandworm Part 1

Related topics