Full Report
Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. "The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Identification:** APT28 (attributed with moderate confidence).
* **Aliases:** Fancy Bear, Sednit, Strontium, Pawn Storm, Sofacy, Grizzly Steppe.
* **Known Associations:** Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) Military Unit 26165.
## Activity Summary
The actor is currently conducting a cyber-espionage campaign against Ukrainian entities using a multi-stage infection chain. The campaign utilizes social engineering (phishing) to deploy two previously undocumented malware families: **BadPaw** and **MeowMeow**. The operation is characterized by the use of geopolitical lures, specifically regarding Ukrainian border crossing appeals, to gain initial access.
## Tactics, Techniques & Procedures
* **Phishing for Initial Access:** Emails sent via `ukr[.]net` accounts to establish trust.
* **Tracking Pixels:** Use of exceptionally small images to track link clicks and verify victim engagement.
* **Anti-Sandbox/Anti-Analysis:**
* Registry checks: Queries `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate` to ensure the OS is older than 10 days.
* Decoy GUI: Displays a cat image/message if executed without specific parameters to mislead manual analysis.
* Process monitoring: Checks for tools like Wireshark, Procmon, Ollydbg, and Fiddler.
* **Execution & Persistence:**
* Use of HTML Applications (HTA) to initiate the chain.
* Creation of scheduled tasks to execute VBScripts for persistence.
* Steganography: Extracting malicious code from PNG image files.
* **Command Line activation:** The `MeowMeow` backdoor only activates malicious functions when executed with the `-v` parameter.
## Targeting
* **Sectors:** Ukrainian Government and entities involved in regional border control/appeals.
* **Geography:** Ukraine.
* **Victims:** Broadly defined as Ukrainian entities; specifically those targeted with lures regarding border crossing appeals.
## Tools & Infrastructure
* **Malware Families:**
* **BadPaw:** A .NET-based loader responsible for C2 communication and downloading follow-on payloads.
* **MeowMeow:** A sophisticated backdoor capable of executing PowerShell commands and file system operations (read/write/delete).
* **Components:** VBScripts, HTA files, and PNG-embedded malicious code.
* **Infrastructure:**
* `ukr[.]net` (Phishing origin)
* Remote C2 servers (used for fetching MeowMeow and receiving exfiltrated data).
* Defanged URLs: `ukr[.]net`
## Implications
This campaign demonstrates APT28's continued focus on Ukrainian strategic interests and their ability to develop new, undocumented tooling to bypass traditional detection. The use of highly specific geopolitical lures suggests a intent to gather intelligence on individuals or government procedures related to movement across borders during the ongoing conflict. The technical sophistication of the evasion techniques (registry aging checks and decoy GUIs) indicates a high level of operational security intended to exhaust forensic resources.
## Mitigations
* **Email Filtering:** Implement strict filtering for emails originating from public webmail providers like `ukr[.]net` when sent to official government or corporate addresses.
* **Behavioral Monitoring:** Monitor for unexpected `mshta.exe` executions or the creation of scheduled tasks launching VBScripts from temporary directories.
* **Endpoint Analysis:** Flag systems where "InstallDate" registry keys are being queried by non-standard browser/system processes.
* **Network Defense:** Monitor for "tracking pixel" behavior (requests for tiny image files) from unknown or suspicious external domains.
* **User Training:** Educate staff on the risks of compressed ZIP archives and HTA files, even when they appear to contain relevant government documents.