Cybersecurity researchers have disclosed particulars of a brand new Russian cyber marketing campaign that has focused Ukrainian entities with two beforehand undocumented malware households named BadPaw and MeowMeow.
“The assault chain initiates with a phishing e mail containing a hyperlink to a ZIP archive. As soon as extracted, an preliminary HTA file shows a lure doc written in Ukrainian regarding border crossing appeals to deceive the sufferer,” ClearSky mentioned in a report printed this week.
In parallel, the assault chain results in the deployment of a .NET-based loader referred to as BadPaw, which then establishes communication with a distant server to fetch and deploy a complicated backdoor referred to as MeowMeow.
The marketing campaign has been attributed with average confidence to the Russian state-sponsored risk actor often called APT28, primarily based on the focusing on footprint, the geopolitical nature of the lures used, and overlaps with methods noticed in earlier Russian cyber operations.
The start line of the assault sequence is a phishing e mail despatched from ukr[.]internet, doubtless in an try to determine credibility and safe the belief of focused victims. Current within the message is a hyperlink to a purported ZIP file, inflicting the consumer to be redirected to a URL that hundreds an “exceptionally small picture,” successfully performing as a monitoring pixel to sign the operators that the hyperlink was clicked.
As soon as this step is full, the sufferer is redirected to a secondary URL from the place the archive is downloaded. The ZIP file consists of an HTML Utility (HTA) that, as soon as launched, drops a decoy doc as a distraction mechanism, whereas it executes follow-on levels within the background.
“The dropped decoy doc serves as a social engineering tactic, presenting a affirmation of receipt for a authorities attraction relating to a Ukrainian border crossing,” ClearSky mentioned. “This lure is meant to keep up the veneer of legitimacy.”
The HTA file additionally carries out checks to keep away from working inside sandbox environments. It does this by querying the Home windows Registry key “KLMSOFTWAREMicrosoftWindows NTCurrentVersionInstallDate” to estimate the “age” of the working system. The malware is designed to abort execution if the system was put in lower than ten days prior.
Ought to the system meet the setting standards, the malware locates the downloaded ZIP archive and extracts two recordsdata from it – a Visible Primary Script (VBScript) and a PNG picture – and saves them to disk below totally different names. It additionally creates a scheduled process to execute the VBScript as a approach of guaranteeing persistence on the contaminated system.
The first accountability of the VBScript is to extract malicious code embedded inside the PNG picture, an obfuscated loader known as BadPaw that is able to contacting a command-and-control (C2) server to obtain extra parts, together with an executable named MeowMeow.
“According to the ‘BadPaw’ tradecraft, if this file is executed independently of the complete assault chain, it initiates a dummy code sequence,” the Israeli cybersecurity firm defined. “This decoy execution shows a graphical consumer interface (GUI) that includes an image of a cat, aligning with the visible theme of the preliminary picture file from which the first malware was extracted.”
“When the ‘MeowMeow’ button inside the decoy GUI is clicked, the applying merely shows a ‘Meow Meow Meow’ message, performing no additional malicious actions. This serves as a secondary useful decoy to mislead guide evaluation.”
The backdoor’s malicious code is activated solely when it is executed with a sure parameter (“-v”) that is supplied by the preliminary an infection chain, and after checking that it is working on an precise endpoint versus a sandbox, and no forensic and monitoring instruments like Wireshark, Procmon, Ollydbg, and Fiddler are working within the background.
At its core, MeowMeow is supplied to remotely execute PowerShell instructions on the compromised host and assist file system operations, reminiscent of the flexibility to learn, write, and delete information. ClearSky mentioned it recognized Russian language strings within the supply code, reinforcing the evaluation that the exercise is the work of a Russian-speaking risk actor.
“The presence of those Russian-language strings suggests two potentialities: the risk actor dedicated an operational safety (OPSEC) error by failing to localize the code for the Ukrainian goal setting, or they inadvertently left Russian improvement artifacts inside the code in the course of the malware’s manufacturing part,” it mentioned.
