"The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow."
"The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations."
"The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing. This lure is intended to maintain the veneer of legitimacy."
Cybersecurity researchers discovered a Russian cyber campaign targeting Ukrainian entities using two previously undocumented malware families: BadPaw and MeowMeow. The attack begins with phishing emails from ukr[.]net containing links to ZIP archives. Upon extraction, an HTA file displays a deceptive Ukrainian-language document about border crossing appeals while deploying a .NET-based loader called BadPaw in the background. BadPaw communicates with remote servers to fetch and deploy the sophisticated MeowMeow backdoor. The campaign is attributed with moderate confidence to APT28 based on targeting patterns, geopolitical lures, and overlaps with previous Russian cyber operations. The attack chain includes tracking pixels to confirm link clicks and sandbox evasion checks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]