❌

Reading view

Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow

ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two
novel malware strains, BadPaw and MeowMeow.

The attack chain initiates with a phishing email containing a link to a ZIP archive. Once
extracted, an initial HTA file displays a lure document written in Ukrainian concerning border
crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of
BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication,
the loader deploys MeowMeow, a sophisticated backdoor.

To hinder analysis and reverse engineering, both strains are obfuscated using the .NET Reactor packer, signaling a deliberate
effort by the threat actors to maintain persistence and evade detection.
To ensure persistence and evade discovery, both malware strains incorporate sophisticated
defense mechanisms.

The campaign employs strict Parameter Validation; the malicious
components remain dormant, running only β€œdummy” code with a benign GUI, unless executed
with specific, predefined parameters. Furthermore, the MeowMeow backdoor features
advanced environmental awareness. It actively scans for virtual machines and common
analysis tools such as Wireshark, ProcMon, and Fiddler, immediately terminating its execution
if a sandbox or researcher environment is detected.

Β ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor
and with low confidence to the specific group APT28 (Fancy Bear). This assessment is based
on a three-pronged analysis:

Targeting & Victimology: The focus on Ukrainian entities, combined with the

geopolitical nature of the lure, aligns with Russian strategic objectives.
Linguistic Artifacts: The presence of Russian-language strings within the code suggests
a development environment native to the region.

Tactical Overlap: The multi-stage infection chain, the use of .NET-based loaders, and
the specific obfuscation techniques mirror established tradecraft observed in previous
Russian cyber operations.

Read the full report:

BadPaw_and_MeowMeow.pdf

  •  

CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild

A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities.

The vulnerability activates URL files containing malicious code through seemingly innocuous actions:

  • A single right-click on the file (all Windows versions).
  • Deleting the file (Windows 10/11).
  • Dragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).

The malicious URL files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website.

Exploitation Process:

The attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered. This action establishes a connection with the attacker’s server and downloads further malicious files, including SparkRAT malware.

SparkRAT is an open-source remote access trojan that allows the attacker to gain control of the victim’s system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot.

Attribution:

CERT-UA linked this campaign to the threat actor UAC-0194, suspected to be Russian. ClearSky also noted similarities with previous campaigns by other threat actors, suggesting the use of a common toolkit or technique.

Remediation:

Microsoft released a security patch for this vulnerability on November 12, 2024. Users are strongly advised to update their Windows systems to mitigate the risk posed by CVE-2024-43451.

Read the full report:

  •  
❌