7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.346 Low
EPSS
Percentile
97.1%
Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine.
βThe FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,β Cloudflareβs threat intelligence team Cloudforce One said in a new report published today.
βIf opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victimβs system.β
FlyingYeti is the denomination used by the web infrastructure company to track an activity cluster that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the moniker UAC-0149.
Previous attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX, a PowerShell-based malware capable of loading and executing cmdlets.
The latest campaign detected by Cloudforce One in mid-April 2024 involves the use of Cloudflare Workers and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.
The company described the threat actor as primarily focused on targeting Ukrainian military entities, adding it utilizes dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for staging malicious content and for command-and-control (C2) purposes.
The email messages have been observed employing debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page (komunalka.github[.]io) that impersonates the Kyiv Komunalka website and instructs them to download a Microsoft Word file (βΠ Π°Ρ ΡΠ½ΠΎΠΊ.docxβ).
But in reality, clicking on the download button in the page results in the retrieval of a RAR archive file (βΠΠ°Π±ΠΎΡΠ³ΠΎΠ²Π°Π½ΡΡΡΡ ΠΏΠΎ ΠΠΠ.rarβ), but only after evaluating the HTTP request to a Cloudflare Worker. The RAR file, once launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.
βThe malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,β Cloudflare said.
The development comes as CERT-UA warned of a spike in phishing attacks from a financially motivated group known as UAC-0006 that are engineered to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT.
Phishing campaigns have also set their sights on European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management (RMM) software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.
βRunning this program on a computer will provide unauthorized remote access to the computer to third-parties,β CERT-UA said, attributing it to a threat actor called UAC-0188.
The disclosure also follows a report from Flashpoint, which revealed that Russian advanced persistent threat (APT) groups are simultaneously evolving and refining their tactics as well as expanding their targeting.
βThey are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces,β the company said last week. βThe most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.346 Low
EPSS
Percentile
97.1%