Cybersecurity researchers have revealed details of a new Russian cyber campaign targeting organizations in Ukraine using two previously undocumented malware families, BadPaw and MeowMeow.
“The attack chain begins with a phishing email containing a link to a ZIP archive. Once extracted, the first HTA file displays a decoy document written in Ukrainian with a border-crossing complaint to deceive the victim,” ClearSky said in a report released this week.
In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy an advanced backdoor called MeowMeow.
This campaign is believed with moderate confidence to be the work of a Russian state-sponsored threat actor known as APT28, based on the targeted footprint, the geopolitical nature of the decoys used, and overlap with techniques observed in previous Russian cyber operations.
The starting point of the attack sequence is a phishing email sent from ukr[.]This is likely an attempt to establish credibility and secure the trust of the targeted victim. The message contains a link purporting to be a ZIP file that redirects the user to a URL that loads a “very small image,” effectively acting as a tracking pixel to notify the operator that the link has been clicked.
Once this step is completed, the victim will be redirected to a secondary URL where the archive will be downloaded. The ZIP file contains an HTML application (HTA) that, when launched, drops a decoy document as a distraction mechanism while running subsequent stages in the background.
“The dropped decoy document acts as a social engineering tactic, offering confirmation of receipt of government appeals regarding border crossings in Ukraine,” ClearSky said. “This lure is meant to maintain some ostensible legitimacy.”
HTA files also run checks to prevent them from running in a sandbox environment. This is done by querying the Windows registry key “KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate” to estimate the “age” of the operating system. This malware is designed to stop running within 10 days of being installed on the system.
If the system meets environmental standards, the malware finds the downloaded ZIP archive, extracts two files from it (Visual Basic Script (VBScript) and a PNG image) and saves them to disk with different names. It also creates a scheduled task that runs VBScript as a way to ensure persistence on infected systems.
The main role of VBScript is to extract malicious code embedded in PNG images. An obfuscated loader called BadPaw can connect to a command and control (C2) server and download additional components, including an executable named MeowMeow.
“Consistent with the ‘BadPaw’ tradecraft, when this file is executed independently of the entire attack chain, a dummy code sequence is initiated,” the Israeli cybersecurity firm explained. “This decoy run displays a graphical user interface (GUI) featuring a photo of a cat, matching the visual theme of the initial image file from which the primary malware was extracted.”
“When you click on the ‘meow meow’ button within the decoy GUI, the application simply displays a ‘meow meow meow’ message and takes no further malicious action. This acts as a secondary functional decoy to mislead manual analysis.”
The backdoor’s malicious code only becomes active when executed with a specific parameter (‘-v’) provided by the initial infection chain and after ensuring that it is running on a real endpoint rather than a sandbox, and that no forensic or monitoring tools such as Wireshark, Procmon, Ollydbg, or Fiddler are running in the background.
At the core of MeowMeow is the ability to remotely execute PowerShell commands on compromised hosts and support file system operations such as reading, writing, and deleting data. ClearSky said it had identified Russian strings in the source code, supporting its assessment that the activity was the work of Russian-speaking attackers.
“The presence of these Russian strings suggests two possibilities: either the attackers committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian artifacts in the code during the malware’s production.”
Source link
