APT28-Linked Campaign Deploys BadPaw & MeowMeow Malware

by CyberNewsAI Admin
APT28-Linked Campaign Deploys BadPaw & MeowMeow Malware
Threat IntelligenceVulnerability Watch

Executive Summary

A new cyber espionage campaign is actively targeting Ukrainian entities. The activity, attributed with moderate confidence to the Russian state-sponsored threat actor APT28, utilizes two previously undocumented malware families: BadPaw, a .NET-based loader, and MeowMeow, a sophisticated backdoor. The attack chain begins with a targeted phishing email and employs multiple layers of social engineering and defense evasion to deploy its final payload, which is capable of remote command execution and file system manipulation.

Threat Details

Initial Access and Infection Vector

The attack chain initiates via a phishing email originating from a ukr[.]net domain, likely to establish credibility with the target. The email contains a link that first directs the victim to a URL hosting a tracking pixel, which notifies the threat actor that the link has been clicked. The victim is then redirected to a secondary URL to download a ZIP archive.

Evasion and Social Engineering

Upon extraction and execution, an HTML Application (HTA) file within the archive displays a decoy document. This lure, written in Ukrainian, pertains to border crossing appeals, serving as a social engineering tactic to deceive the victim. Concurrently, the HTA file performs anti-sandbox checks by querying the Windows Registry key KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate. If the OS installation age is less than ten days, the malware aborts execution.

Persistence and Payload Staging

If the environment checks are passed, the HTA extracts a VBScript and a PNG image from the initial ZIP archive. Persistence is achieved by creating a scheduled task to execute the VBScript. The VBScript's primary function is to extract an obfuscated loader, BadPaw, embedded within the PNG image.

Malware Analysis

BadPaw Loader

BadPaw is a .NET-based loader responsible for establishing communication with a command-and-control (C2) server. After a successful connection, it fetches and deploys additional malicious components, most notably the MeowMeow backdoor.

MeowMeow Backdoor

MeowMeow is a sophisticated backdoor that employs several anti-analysis features. If executed outside the intended infection chain, it presents a decoy GUI with a cat image and a "MeowMeow" button that displays a harmless message. Malicious functionality is only activated when executed with a specific parameter (-v). It also checks for the presence of analysis tools such as Wireshark, Procmon, Ollydbg, and Fiddler before running. Once active, its core capabilities include:

  • Remote execution of PowerShell commands.
  • File system operations, including the ability to read, write, and delete data.

Attribution

The campaign is attributed to APT28 with moderate confidence based on several factors:

  • Targeting: The focus on Ukrainian entities aligns with the geopolitical objectives of the Russian state.
  • TTPs: Overlaps in techniques with previously observed Russian cyber operations.
  • Linguistic Evidence: The presence of Russian language strings in the malware's source code was identified. ClearSky notes this could either be an operational security (OPSEC) error or a leftover development artifact.

// INTELLIGENCE_SOURCES

[The Hacker News]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW