A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts.
About the campaign
The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.
BadPaw malware
Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file.
The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background.
Attack tactic
Before starting, the malware verifies a Windows Registry key to set the system’s installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts.
If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file.
Only nine antivirus engines could spot the payload at the time of study.
Multi-Layered Attack
After activation within a particular parameter, BadPaw links to a C2 server.
The following process happens:
Getting a numeric result from the /getcalendar endpoint.
Gaining access to a landing page called “Telemetry UP!” through /eventmanager.
Downloading the ASCII-encoded payload information installed within HTML.
In the end, the decrypted data launches a backdoor called “MeowMeowProgram[.]exe,” which offers file system control and remote shell access.
Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.
Incorrect execution results in a benign graphical user interface with a picture of a cat. The “MeowMeow” button only displays a harmless message when it is clicked.
Read the original article: