Post

Russian APT Targets Ukraine with BadPaw and MeowMeow Malware

Posted
By ictsec.pl
2 min read
Russian APT Targets Ukraine with BadPaw and MeowMeow Malware

Russian APT Targets Ukraine with BadPaw and MeowMeow Malware 🚨

Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.

“The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim,” reads the report published by ClearSky.

Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.

Key Findings 🔍

  • Both malware strains use the .NET Reactor packer to complicate analysis and reverse engineering.
  • The malware includes multiple defense mechanisms, remaining inactive unless launched with specific parameters.
  • The MeowMeow backdoor performs environmental checks, scanning systems for virtual machines and analysis tools such as Wireshark, ProcMon, and Fiddler.
  • If it detects a sandbox or research environment, it immediately stops execution to avoid investigation.

Anti-Analysis Techniques ⚔️

The HTA performs anti-analysis checks by verifying the system’s installation date and aborting execution on recently installed systems, a common sandbox-evasion tactic. As reported, “If the system was installed less than ten days prior to execution, the malware terminates. This is a common anti-analysis technique used to avoid execution on freshly provisioned virtual machines or automated analysis sandboxes.”

Attribution and Implications 🌍

Researchers at ClearSky attribute the campaign with high confidence to a Russia-linked cyberespionage group and with lower confidence to the threat actor APT28. Their assessment relies on three factors: the targeting of Ukrainian entities, Russian-language artifacts in the code, and tactics consistent with previous Russian cyber operations, including multi-stage infection chains and .NET-based loaders.

The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations.

To read the complete article see: Read full article

CYBERSECURITY
RUSSIA UKRAINE MALWARE CYBERSECURITY PHISHING
This post is licensed under CC BY 4.0 by the author.