Cybersecurity researchers disclosed a new Russian-linked campaign this week that targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow, delivered via a phishing ZIP archive and an HTA lure.
KEY FACTS
- Incident Russian-linked campaign targeting Ukrainian entities
- Malware .NET loader BadPaw and backdoor MeowMeow
- Delivery Phishing email with ZIP archive and HTA decoy
- Persistence Scheduled task and VBScript extraction from a PNG image
- Attribution Linked with moderate confidence to APT28
A technical analysis by ClearSky described an attack chain that begins with a phishing message sent from ukr[.]net and a link to a ZIP archive that first signals the operator with an image-based tracker.
The downloaded ZIP contains an HTA file that displays a Ukrainian-language decoy about a border crossing to distract the victim while running follow-on stages in the background. The HTA performs environment checks including a Windows InstallDate registry query to avoid systems installed within ten days.
The HTA extracts a VBScript and a PNG image and writes them to disk, then creates a scheduled task to execute the VBScript for persistence. The VBScript recovers obfuscated loader code embedded in the PNG, which becomes the BadPaw .NET loader. BadPaw can run a benign cat-themed GUI when executed outside the full chain as a decoy.
BadPaw contacts a command and control server to download additional components including an executable named MeowMeow. MeowMeow is activated only when launched with a specific parameter and after checks confirm it is running on a real endpoint and not under common analysis tools. The backdoor can execute PowerShell commands and perform file system operations. Russian language strings were present in the code.
WHY IT MATTERS
A multi stage loader and a backdoor that enforces sandbox avoidance and persistence increase the likelihood of prolonged covert access on compromised hosts and complicate detection and response in targeted networks.