FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

Avatar
Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine. “The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,” Cloudflare’s threat intelligence team Cloudforce One

Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine.

“The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,” Cloudflare’s threat intelligence team Cloudforce One said in a new report published today.

“If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.”

FlyingYeti is the denomination used by the web infrastructure company to track an activity cluster that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the moniker UAC-0149.

Previous attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX, a PowerShell-based malware capable of loading and executing cmdlets.

The latest campaign detected by Cloudforce One in mid-April 2024 involves the use of Cloudflare Workers and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.

The company described the threat actor as primarily focused on targeting Ukrainian military entities, adding it utilizes dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for staging malicious content and for command-and-control (C2) purposes.

The email messages have been observed employing debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page (komunalka.github[.]io) that impersonates the Kyiv Komunalka website and instructs them to download a Microsoft Word file (“Рахунок.docx”).

But in reality, clicking on the download button in the page results in the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), but only after evaluating the HTTP request to a Cloudflare Worker. The RAR file, once launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.

“The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare said.

The development comes as CERT-UA warned of a spike in phishing attacks from a financially motivated group known as UAC-0006 that are engineered to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT.

Phishing campaigns have also set their sights on European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management (RMM) software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.

“Running this program on a computer will provide unauthorized remote access to the computer to third-parties,” CERT-UA said, attributing it to a threat actor called UAC-0188.

The disclosure also follows a report from Flashpoint, which revealed that Russian advanced persistent threat (APT) groups are simultaneously evolving and refining their tactics as well as expanding their targeting.

“They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces,” the company said last week. “The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

U.S. Dismantles World’s Largest 911 S5 Botnet, with 19 Million Infected Devices

Next Post

CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

Related Posts

RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

A likely China-linked state-sponsored threat actor has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. Recorded Future's Insikt Group is tracking the activity under the name RedJuliett, describing it as a cluster that operates Fuzhou, China, to support Beijing's intelligence
Avatar
Read More

Google Introduces Project Naptime for AI-Powered Vulnerability Research

Google has developed a new framework called Project Naptime that it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches. "The Naptime architecture is centered around the interaction between an AI agent and a target codebase," Google Project Zero researchers Sergei Glazunov and Mark Brand said. "The agent is provided
Avatar
Read More