Russian phishing campaign hits Ukraine with novel malware

Attacks delivering novel malicious payloads have been deployed by a Russian state-sponsored threat operation against Ukrainian entities as part of a new phishing campaign, reports The Record, a news site by cybersecurity firm Recorded Future.

Threat actors using addresses hosted by the popular Ukrainian webmail and news service ukr[.]net sent a malicious email with a link redirecting to a ZIP archive containing a Ukrainian border checkpoint permit that triggers the download of the BadPaw loader, according to an analysis from cybersecurity firm ClearSky. BadPaw then facilitates the subsequent installation of the advanced MeowMeow backdoor, which has file enumeration and data reading, writing, and deletion capabilities.

Both BadPaw and MeowMeow were also observed to have sophisticated detection bypass features. The involvement of ukr[.]net-hosted email addresses has prompted researchers to attribute the campaign with low confidence to the APT28 threat operation, also known as Fancy Bear, Forest Blizzard, and Blue Delta.