APT28, a Russian state-sponsored threat actor, has been linked to a sophisticated cyber campaign targeting Ukraine. This campaign employs two previously undocumented malware families: BadPaw and MeowMeow. The attack chain begins with a phishing email, seemingly from a Ukrainian context, containing a link to a ZIP archive. Once extracted, an HTML Application (HTA) file displays a decoy document, luring victims with a border crossing appeal. This initial interaction sets the stage for the deployment of the BadPaw loader, which then fetches and installs the MeowMeow backdoor from a remote server.
What makes this campaign particularly intriguing is the use of social engineering tactics. The dropped decoy document, a confirmation of receipt for a government appeal, maintains the appearance of legitimacy. The HTA file also includes checks to avoid running in sandbox environments, ensuring its execution on real systems. Once executed, it extracts a Visual Basic Script (VBScript) and a PNG image, saving them under different names. The VBScript then extracts the BadPaw loader, which, when executed independently, displays a GUI with a cat picture, a decoy to mislead analysis.
The MeowMeow backdoor is a powerful tool, capable of remotely executing PowerShell commands and supporting file system operations. Its malicious code is activated with a specific parameter and after ensuring it's running on an actual endpoint, free from forensic and monitoring tools. The presence of Russian language strings in the source code suggests either an operational security error or a remnant of the development phase. This campaign highlights the evolving nature of cyber threats and the importance of staying vigilant against sophisticated, state-sponsored attacks.
