FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine

May 30, 2024

Cloudflare has disrupted a month-long phishing campaign in Ukraine, which was orchestrated by a Russia-aligned threat actor known as FlyingYeti. The campaign leveraged fears over potential loss of access to housing and utilities, enticing targets to open malicious files with debt-themed lures. As a result, the targets would be infected with the PowerShell malware known as COOKBOX, providing FlyingYeti with control over the victim's system.

FlyingYeti is the denomination used by Cloudflare to track a cluster of activity that the Computer Emergency Response Team of Ukraine (CERT-UA) is monitoring under the name UAC-0149. Past attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX.

The recent campaign detected by Cloudflare in mid-April 2024 involves the use of Cloudflare Workers and GitHub, as well as the exploitation of the WinRAR vulnerability tracked as CVE-2023-38831. Cloudflare describes the threat actor as primarily targeting Ukrainian military entities, using dynamic DNS for their infrastructure and cloud-based platforms for staging malicious content and command-and-control purposes.

The phishing emails were seen using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page that impersonates the Kyiv Komunalka website. However, clicking on the download button in the page results in the retrieval of a RAR archive file, which upon launch, exploits CVE-2023-38831 to execute the COOKBOX malware.

The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.

The CERT-UA has also warned of an increase in phishing attacks from a financially motivated group known as UAC-0006 that are designed to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT. Other phishing campaigns have targeted European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.

This disclosure follows a report from Flashpoint, which revealed that Russian advanced persistent threat groups are simultaneously evolving and refining their tactics as well as expanding their targeting. They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces. The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.

Related News

• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
• Bumblebee Malware Resurfaces after Four Months, Targets US Organizations
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• UAC-0099 Exploits WinRAR Vulnerability to Launch LONEPAGE Malware Attacks on Ukrainian Firms
• Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts

Latest News

• Check Point VPN Zero-Day Vulnerability Exploited in Recent Cyber Attacks
• Emergency Patch Released by Check Point for VPN Zero-Day Exploited in Recent Attacks
• Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required
• Critical Vulnerability Discovered in TP-Link Archer C5400X Gaming Router
• Cisco Addresses High-Severity Vulnerability in Firepower Management Center