Ukraine Targeted by Multi-Stage “BadPaw” Malware
▼ Summary
– A new malware campaign named “BadPaw” uses emails from a Ukrainian service (ukr[.]net) to appear credible and targets recipients with a deceptive link.
– The attack involves a multi-step process where clicking the link confirms victim engagement via a tracking pixel before delivering a malicious ZIP file disguised as an HTML document.
– The malware employs evasion tactics, including checking if the operating system is older than ten days to avoid sandbox analysis, and uses steganography in an image file for persistence.
– Upon activation, BadPaw deploys a sophisticated backdoor called “MeowMeowProgram[.]exe” that provides remote access and has multiple defensive layers to avoid detection and analysis.
– Researchers found Russian-language strings in the code, suggesting a possible Russian-speaking developer or an operational oversight in targeting Ukrainian victims.
A sophisticated new malware campaign has been identified, using a legitimate Ukrainian email service to lend authenticity to its attacks. Security experts have named this multi-stage threat “BadPaw.” The operation cleverly exploits trust by initiating contact through emails sent from addresses on the widely used ukr[.]net service, a platform with a history of being compromised by state-linked hacking groups.
The attack unfolds when a recipient clicks a link supposedly hosting a ZIP archive. Rather than a direct download, the victim is first redirected to a domain that loads a tracking pixel, allowing the attackers to verify the target’s interaction. A subsequent redirect finally delivers the malicious ZIP file. Inside, the archive appears to contain a harmless HTML document, but it is actually a disguised HTA application. Upon execution, it displays a convincing decoy document about a Ukrainian government border appeal while malicious processes silently initiate in the background.
A key evasion technique involves the malware checking a Windows Registry key to find the system’s installation date. If the operating system is less than ten days old, the malware halts execution. This is a deliberate tactic to avoid automated sandbox environments commonly used by security researchers for analysis. If the system passes this check, BadPaw proceeds to unpack additional components from the original ZIP file. It establishes persistence by creating a scheduled task that runs a VBS script. This script then uses steganography, a method of hiding data within images, to extract executable code from a picture file. At the time of discovery, only a handful of antivirus engines were capable of detecting this payload.
Once fully activated with a specific parameter, BadPaw establishes communication with its command-and-control server. This communication occurs in distinct stages: first retrieving a numeric response, then accessing a specific landing page, and finally downloading ASCII-encoded payload data hidden within HTML. The decoded data deploys a powerful backdoor called “MeowMeowProgram[.]exe,” which grants attackers remote shell access and complete control over the victim’s file system.
The MeowMeow backdoor itself is fortified with multiple defensive layers. It requires specific runtime parameters, is protected by .NET Reactor obfuscation, and includes checks to detect sandbox environments. It also actively monitors for the presence of forensic tools like Wireshark and Procmon. If executed incorrectly, it displays a benign interface with a cat picture; clicking the button merely shows a harmless message, further masking its true intent.
Researchers discovered Russian-language strings within the malware’s code, including one that translates to “Time to reach working/operational condition.” These linguistic artifacts could point to a Russian-speaking developer or may represent an operational mistake where the malware was not fully localized for its intended Ukrainian targets. The use of a previously abused Ukrainian email service, combined with these code clues, suggests a highly targeted and strategically planned cyber espionage campaign.
(Source: InfoSecurity Magazine)
