Recent investigations have unveiled a sophisticated cyber operation attributed to Russian state-sponsored actors, targeting Ukrainian organizations with newly identified malware strains. The malicious software, dubbed BadPaw and MeowMeow, is part of a campaign that reflects ongoing cyber tensions in the region.
Phishing Tactics and Attack Methodology
The campaign begins with a deceptive phishing email from a seemingly credible source, ukr[.]net, designed to gain the trust of the recipient. This email includes a link to a ZIP archive that, once accessed, initiates the download of a small tracking pixel, signaling the attackers of user engagement. The recipient is then redirected to download a malicious archive containing an HTML Application (HTA) file.
The HTA file serves a dual purpose: presenting a decoy document to maintain the appearance of legitimacy and executing malicious processes in the background. This document mimics official Ukrainian communications, specifically regarding border crossing appeals, to further deceive victims.
Advanced Malware Deployment and Characteristics
Upon execution, the HTA file performs system checks to avoid detection in sandbox environments, a common cybersecurity measure. If the system is deemed suitable, it extracts a VBScript and a PNG file from the archive, ensuring persistence through scheduled tasks designed to execute the VBScript.
The VBScript’s primary role is to extract and deploy the BadPaw loader embedded within the PNG image. This loader establishes a connection with a command-and-control server, facilitating the download of the MeowMeow backdoor and other components essential for the attack.
Technical Analysis of the MeowMeow Backdoor
The MeowMeow backdoor, activated under specific conditions, is capable of executing PowerShell commands and performing file operations on compromised systems. The malware’s design includes obfuscation techniques and functional decoys, such as a GUI displaying a cat image, to mislead analysts.
Further analysis of the malware reveals Russian language strings in the code, suggesting either an operational oversight or a deliberate inclusion by the Russian-speaking developers. This insight strengthens the attribution to APT28, a known Russian cyber threat group.
The discovery of this campaign underscores the persistent cyber threats faced by Ukraine and highlights the evolving tactics employed by advanced persistent threat actors. As geopolitical tensions continue, vigilance and robust cybersecurity measures remain critical for targeted entities.
