APT28-Linked Cyber Attack Campaign Unleashes BadPaw Loader and MeowMeow Backdoor in Ukraine

Post Views: 1

Cybersecurity Alert: Russian-Backed Cyber Campaign Targets Ukrainian Entities

Cybersecurity researchers have uncovered a new Russian-backed cyber campaign targeting Ukrainian entities with two previously unknown malware families, BadPaw and MeowMeow.

Attack Chain and Malware Deployment

The attack begins with a phishing email sent from the ukr[.]net domain, containing a link to a ZIP archive. When extracted, the archive displays a decoy document in Ukrainian, discussing border crossing appeals, in an attempt to deceive the victim.

The attack chain concurrently leads to the deployment of a .NET-based loader, BadPaw, which establishes communication with a remote server to fetch and deploy a sophisticated backdoor, MeowMeow.

Attribution and Confidence Level

The campaign has been attributed to the Russian state with moderate confidence.

Phishing Email and Tracking Pixel

The initial phishing email contains a tracking pixel, which signals the operators when the link is clicked. Once clicked, the victim is redirected to a secondary URL, where the archive is downloaded.

Decoy Document and Social Engineering

The decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing.

HTA File and Sandbox Evasion

The HTA file carries out checks to avoid running within sandbox environments by querying the Windows Registry key “KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate\” to estimate the “age” of the operating system. The malware aborts execution if the system was installed less than ten days prior.

VBScript and BadPaw Loader

The primary responsibility of the VBScript is to extract malicious code embedded within a PNG image, an obfuscated loader referred to as BadPaw. BadPaw is capable of contacting a command-and-control (C2) server to fetch and deploy the MeowMeow backdoor.

MeowMeow Backdoor and Capabilities

The MeowMeow backdoor’s malicious code is activated only when executed with a certain parameter (“-v”) provided by the initial infection chain. It checks that it’s running on an actual endpoint, as opposed to a sandbox, and that no forensic and monitoring tools like Wireshark, Procmon, Ollydbg, and Fiddler are running in the background.

MeowMeow is equipped to remotely execute PowerShell commands on the compromised host and support file system operations, such as reading, writing, and deleting data.

ClearSky identified Russian language strings in the source code, reinforcing the assessment that the activity is the work of a Russian-speaking threat actor. The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.