FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine.

“The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,” Cloudflare’s threat intelligence team Cloudforce One said in a new report published today.

“If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.”

FlyingYeti is the denomination used by the web infrastructure company to track an activity cluster that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the moniker UAC-0149.

Previous attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX, a PowerShell-based malware capable of loading and executing cmdlets.

The latest campaign detected by Cloudforce One in mid-April 2024 involves the use of Cloudflare Workers and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.

The company described the threat actor as primarily focused on targeting Ukrainian military entities, adding it utilizes dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for staging malicious content and for command-and-control (C2) purposes.

The email messages have been observed employing debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page (komunalka.github[.]io) that impersonates the Kyiv Komunalka website and instructs them to download a Microsoft Word file (“Рахунок.docx”).

But in reality, clicking on the download button in the page results in the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), but only after evaluating the HTTP request to a Cloudflare Worker. The RAR file, once launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.

“The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare said.

The development comes as CERT-UA warned of a spike in phishing attacks from a financially motivated group known as UAC-0006 that are engineered to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT.

Phishing campaigns have also set their sights on European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management (RMM) software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.

“Running this program on a computer will provide unauthorized remote access to the computer to third-parties,” CERT-UA said, attributing it to a threat actor called UAC-0188.

The disclosure also follows a report from Flashpoint, which revealed that Russian advanced persistent threat (APT) groups are simultaneously evolving and refining their tactics as well as expanding their targeting.

“They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces,” the company said last week. “The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.