Russian state-sponsored APT28 has launched a sophisticated phishing campaign targeting Ukrainian entities with two new malware families, BadPaw and MeowMeow, using deceptive lures about border crossing appeals.
Cybersecurity researchers have uncovered a new Russian cyber campaign targeting Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The attack, attributed with moderate confidence to the Russian state-sponsored threat actor APT28, demonstrates the group's continued focus on Ukraine amid ongoing geopolitical tensions.
The Phishing Lure: A Deceptive Border Crossing Appeal
The attack chain begins with a phishing email sent from a ukr[.]net address, likely chosen to establish credibility with Ukrainian targets. The message contains a link to what appears to be a ZIP archive containing information about border crossing appeals.
"The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim," ClearSky researchers explained in their report.
However, this is merely the first layer of deception. When victims click the link, they're first redirected to a URL that loads an "exceptionally small image" - effectively a tracking pixel that signals to the attackers that the link was clicked. Only then are victims redirected to a secondary URL where the actual ZIP archive is downloaded.
BadPaw Loader: The First Stage Payload
Once the ZIP file is extracted, it contains an HTML Application (HTA) file that serves multiple purposes. When launched, the HTA drops a decoy document written in Ukrainian that appears to confirm receipt of a government appeal regarding border crossing. This social engineering tactic maintains the veneer of legitimacy while the malware executes follow-on stages in the background.
The HTA also performs environmental checks to avoid analysis in sandbox environments. It queries the Windows Registry key "KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate" to determine the operating system's "age." If the system was installed less than ten days prior, the malware aborts execution, suggesting the attackers are specifically targeting production environments rather than research setups.
If the system passes these checks, the HTA extracts two files from the ZIP archive - a Visual Basic Script (VBScript) and a PNG image - saving them under different names. It also creates a scheduled task to execute the VBScript, ensuring persistence on the infected system.
The VBScript's primary responsibility is to extract malicious code embedded within the PNG image. This obfuscated loader is called BadPaw, and it's capable of contacting a command-and-control (C2) server to download additional components.
Interestingly, BadPaw includes a decoy execution path. "Consistent with the 'BadPaw' tradecraft, if this file is executed independently of the full attack chain, it initiates a dummy code sequence," ClearSky noted. "This decoy execution displays a graphical user interface (GUI) featuring a picture of a cat, aligning with the visual theme of the initial image file from which the primary malware was extracted."
When the "MeowMeow" button within this decoy GUI is clicked, the application simply displays a "Meow Meow Meow" message, performing no further malicious actions. This secondary functional decoy is designed to mislead manual analysis and waste researchers' time.
MeowMeow Backdoor: The Final Payload
The actual malicious payload, MeowMeow, is only activated when executed with a specific parameter ("-v") that's provided by the initial infection chain. Before executing its malicious code, MeowMeow performs additional checks to ensure it's running on an actual endpoint rather than a sandbox, and verifies that forensic and monitoring tools like Wireshark, Procmon, Ollydbg, and Fiddler are not running in the background.
At its core, MeowMeow is equipped with capabilities that make it a sophisticated backdoor:
- Remote execution of PowerShell commands on the compromised host
- File system operations including reading, writing, and deleting data
- Communication with command-and-control servers
Attribution and Technical Indicators
The campaign has been attributed to APT28 based on several factors:
- The targeting footprint (Ukrainian entities)
- The geopolitical nature of the lures used
- Overlaps with techniques observed in previous Russian cyber operations
ClearSky researchers identified Russian language strings in the source code, which they say "reinforces the assessment that the activity is the work of a Russian-speaking threat actor." The presence of these strings suggests either an operational security error or inadvertent inclusion of Russian development artifacts.
Technical Details and IOCs
While the full technical analysis is available in ClearSky's report, the campaign demonstrates several notable technical characteristics:
Initial Access Vector: Phishing emails from ukr[.]net addresses containing links to ZIP archives
First Stage Loader: BadPaw, a .NET-based loader embedded in a PNG image
Final Payload: MeowMeow backdoor with PowerShell execution capabilities
Evasion Techniques: Sandbox detection through registry queries, monitoring tool detection, decoy execution paths
Persistence Mechanism: Scheduled tasks created by the VBScript component
Implications for Ukrainian Organizations
This campaign highlights the ongoing cyber threat facing Ukrainian organizations from Russian state-sponsored actors. The use of localized lures in Ukrainian, combined with sophisticated evasion techniques and decoy mechanisms, demonstrates APT28's continued evolution and adaptation of their tactics.
Organizations in Ukraine and those with connections to Ukrainian entities should be particularly vigilant for phishing emails containing ZIP archives with border crossing or government appeal themes. The multi-stage nature of the attack, with its decoy mechanisms, makes it particularly challenging to detect and analyze.
The discovery of these new malware families - BadPaw and MeowMeow - also underscores the importance of continuous threat intelligence sharing and the need for organizations to stay informed about emerging threats from known adversary groups like APT28.
For defenders, this campaign serves as a reminder that even sophisticated threat actors continue to rely on phishing as an initial access vector, and that multi-stage attacks with decoy mechanisms are becoming increasingly common in targeted espionage campaigns.
Comments
Please log in or register to join the discussion