FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine

May 30, 2024

Cloudflare has disrupted a month-long phishing campaign in Ukraine, which was orchestrated by a Russia-aligned threat actor known as FlyingYeti. The campaign leveraged fears over potential loss of access to housing and utilities, enticing targets to open malicious files with debt-themed lures. As a result, the targets would be infected with the PowerShell malware known as COOKBOX, providing FlyingYeti with control over the victim's system.

FlyingYeti is the denomination used by Cloudflare to track a cluster of activity that the Computer Emergency Response Team of Ukraine (CERT-UA) is monitoring under the name UAC-0149. Past attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX.

The recent campaign detected by Cloudflare in mid-April 2024 involves the use of Cloudflare Workers and GitHub, as well as the exploitation of the WinRAR vulnerability tracked as CVE-2023-38831. Cloudflare describes the threat actor as primarily targeting Ukrainian military entities, using dynamic DNS for their infrastructure and cloud-based platforms for staging malicious content and command-and-control purposes.

The phishing emails were seen using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page that impersonates the Kyiv Komunalka website. However, clicking on the download button in the page results in the retrieval of a RAR archive file, which upon launch, exploits CVE-2023-38831 to execute the COOKBOX malware.

The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.

The CERT-UA has also warned of an increase in phishing attacks from a financially motivated group known as UAC-0006 that are designed to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT. Other phishing campaigns have targeted European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.

This disclosure follows a report from Flashpoint, which revealed that Russian advanced persistent threat groups are simultaneously evolving and refining their tactics as well as expanding their targeting. They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces. The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.