Reading view

Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow

ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two
novel malware strains, BadPaw and MeowMeow.

The attack chain initiates with a phishing email containing a link to a ZIP archive. Once
extracted, an initial HTA file displays a lure document written in Ukrainian concerning border
crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of
BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication,
the loader deploys MeowMeow, a sophisticated backdoor.

To hinder analysis and reverse engineering, both strains are obfuscated using the .NET Reactor packer, signaling a deliberate
effort by the threat actors to maintain persistence and evade detection.
To ensure persistence and evade discovery, both malware strains incorporate sophisticated
defense mechanisms.

The campaign employs strict Parameter Validation; the malicious
components remain dormant, running only “dummy” code with a benign GUI, unless executed
with specific, predefined parameters. Furthermore, the MeowMeow backdoor features
advanced environmental awareness. It actively scans for virtual machines and common
analysis tools such as Wireshark, ProcMon, and Fiddler, immediately terminating its execution
if a sandbox or researcher environment is detected.

 ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor
and with low confidence to the specific group APT28 (Fancy Bear). This assessment is based
on a three-pronged analysis:

Targeting & Victimology: The focus on Ukrainian entities, combined with the

geopolitical nature of the lure, aligns with Russian strategic objectives.
Linguistic Artifacts: The presence of Russian-language strings within the code suggests
a development environment native to the region.

Tactical Overlap: The multi-stage infection chain, the use of .NET-based loaders, and
the specific obfuscation techniques mirror established tradecraft observed in previous
Russian cyber operations.

Read the full report:

BadPaw_and_MeowMeow.pdf

  •  

CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild

A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities.

The vulnerability activates URL files containing malicious code through seemingly innocuous actions:

  • A single right-click on the file (all Windows versions).
  • Deleting the file (Windows 10/11).
  • Dragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).

The malicious URL files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website.

Exploitation Process:

The attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered. This action establishes a connection with the attacker’s server and downloads further malicious files, including SparkRAT malware.

SparkRAT is an open-source remote access trojan that allows the attacker to gain control of the victim’s system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot.

Attribution:

CERT-UA linked this campaign to the threat actor UAC-0194, suspected to be Russian. ClearSky also noted similarities with previous campaigns by other threat actors, suggesting the use of a common toolkit or technique.

Remediation:

Microsoft released a security patch for this vulnerability on November 12, 2024. Users are strongly advised to update their Windows systems to mitigate the risk posed by CVE-2024-43451.

Read the full report:

  •  

Iranian “Dream Job” Campaign 11.24

ClearSky Cyber Security research identified a campaign named “Iranian Dream Job campaign”, in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake jobs. 

The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. ClearSky attributes both malware programs to a subgroup of Charming Kitten. 

However, some cyber research companies detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group. 

The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran. 

The Iranian “Dream Job” campaign has been active since at least September 2023. Mandiant had previously reported on suspected Iranian espionage activity targeting aerospace, aviation, and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE), as well as Turkey, India, and Albania. 

The LinkedIn profiles of the fake recruiters in our report seem to be newer versions of the profiles Mandiant previously reported. For example, ClearSky discovered a profile associated with a fake company called “Careers 2 Find,” which previously worked for “1st Employer,” a fake recruiting website highlighted by Mandiant. 

How the Campaign Works

TA455 uses fake recruiting websites and LinkedIn profiles to distribute a ZIP file containing malicious files. The ZIP file, which includes legitimate files, is downloaded from a domain impersonating a job recruiting website. Victims are given a detailed PDF guide on how to “safely” access the website in order to prevent them from making “mistakes” that might “prevent infection”. Once the ZIP file is downloaded, the victim clicks on a highlighted EXE file. The EXE loads the malicious DLL file “secur32[.]dll” via DLL side loading. The malware checks the victim’s IP address and downloads information from a GitHub account that contains the C&C server domain address.

For the full version of our report:

  •  

Fata Morgana: Watering hole attack on shipping and logistics websites

ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten).

The Infected sites collect preliminary user information through a script. We have discovered several details that suggest this script is used for malicious purposes.

Read the Full report: Fata Morgana Watering hole report

  •  

Lyceum suicide drone

ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with
medium-high confidence.
The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.

This indicates an attacker-controlled at least two IP’s on the same range.
The downloaded file is a reverse shell that impersonates an Adobe update.
The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence.
There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed.
Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten3.

Read the full report: https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf

  •  

Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)

CryptoCore is an attack campaign against crypto-exchange companies that has been ongoing for three years and was discovered by ClearSky researchers. This cybercrime campaign is focused mainly on the theft of cryptocurrency wallets, and we estimate that the attackers have already made off with hundreds of millions of dollars. This campaign was also reported by additional companies and organizations, including JPCERT/CC[1], NTT Security[2] and F-SECURE[3]. The campaign is also known as CryptoMimic, Dangerous Password and Leery Turtle. In this report we attributed this campaign to a specific actor – North Korea’s LAZARUS APT Group, known also as Hidden Cobra.

Read the full report: Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)

In this report, we based our attribution with two stages of research:

  1. First stage– connecting all research documents to the same campaign:  a comparative study of all the research documents trying to prove they are all referring to the same campaign.
  2. Second stage – Attribution to Lazarus: We adopted F-SECURE’s attribution to LAZARUS. Then we reaffirmed this attribution by comparing the attack tools  found in this campaign  to other Lazarus campaigns  and found strong similarities.

Our research shows a MEDIUM-HIGH likelihood that Lazarus group, a  North-Korean, state-sponsored APT group, is attacking crypto exchanges all over the world and in Israel for at least three years. This group is has successfully hacked into numerous companies and organizations around the world for many years. Until recently this group was not known to attack Israeli targets.

We would like to thank NTT Security Japan for sharing malware samples with us, and for their feedback on this research.


[1] https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html

[2] https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf

[3] https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf

  •  
❌