Cyber: Apt28-linked Campaign Deploys Badpaw Loader And Meowmeow Backdoor...
Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow.
"The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim," ClearSky said in a report published this week.
In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.
The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations.
The starting point of the attack sequence is a phishing email sent from ukr[.]net, likely in an attempt to establish credibility and secure the trust of targeted victims. Present in the message is a link to a purported ZIP file, causing the user to be redirected to a URL that loads an "exceptionally small image," effectively acting as a tracking pixel to signal the operators that the link was clicked.
Once this step is complete, the victim is redirected to a secondary URL from where the archive is downloaded. The ZIP file includes an HTML Application (HTA) that, once launched, drops a decoy document as a distraction mechanism, while it executes follow-on stages in the background.
"The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing," ClearSky said. "This lure is intended to maintain the veneer of legitimacy."
The HTA file also carries out checks to avoid running within sandbox environments. It does this by querying the Windows Registry key "KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate" to estimate the "age" of the operating system. The malware is designed to abort execution if the system was installed less than ten days prior.
Should the system meet the environment criteria, the malware locates the downloaded ZIP archive and extracts two files from it – a Visual Basic Script (VBScript) and a PNG image – and saves them to disk under different names. It also creates a scheduled task to exec
Source: The Hacker News
