Cybersecurity researchers have uncovered a newly identified malware campaign that exploits a Ukrainian email service to gain credibility. This operation begins with an email originating from an address hosted on ukr[.]net, a well-known Ukrainian provider that has previously been misused by the Russian-linked threat actor APT28 in earlier campaigns.
Researchers at ClearSky, who have dubbed the malware "BadPaw," indicate that the attack is initiated when a recipient clicks on a link claiming to host a ZIP archive. However, rather than downloading the file directly, the victim is redirected to a different domain that loads a tracking pixel, enabling the attacker to confirm that the email has been engaged with. Following this, a second redirect delivers the actual ZIP file.
While the ZIP archive appears to contain a standard HTML file, ClearSky's analysis reveals that it is, in fact, a disguised HTA application. Once executed, this file shows a decoy document related to a Ukrainian government border crossing appeal, while malicious processes operate in the background.
Before execution continues, the malware checks a Windows Registry key to ascertain the system's installation date. If the operating system is less than ten days old, the execution halts. This tactic aims to evade detection by sandbox environments commonly used by security analysts.
If the conditions are favorable, the malware searches for the original ZIP file and extracts additional components. It achieves persistence through a scheduled task that runs a VBS script, which employs steganography to extract hidden executable code from an image file.
At the time of analysis, only nine antivirus engines were able to detect the payload.
Multi-Layered Backdoor and Attribution
Once activated with a specific parameter, BadPaw connects to a command-and-control (C2) server. This staged communication process includes several steps:
-
Retrieving a numeric response from the /getcalendar endpoint.
-
Accessing a landing page titled "Telemetry UP!" via /eventmanager.
-
Downloading ASCII-encoded payload data embedded within HTML.
The decoded data ultimately deploys a backdoor named "MeowMeowProgram[.]exe," granting remote shell access and control over the file system.
The MeowMeow backdoor features four defensive layers, including runtime parameter requirements, .NET Reactor obfuscation, and detection mechanisms to identify sandbox environments as well as forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.
If executed incorrectly, it presents a benign graphical interface displaying a cat image. Clicking the "MeowMeow" button simply generates a harmless message.
ClearSky researchers also discovered Russian-language strings within the code. One translated line states: "Time to reach working/operational condition: (\d+) seconds."
According to ClearSky, these elements may suggest a Russian-speaking developer behind the malware, or an oversight in not localizing the malware for Ukrainian targets.
