Cloudflare has announced the disruption of a month-long phishing campaign orchestrated by the Russia-aligned threat actor known as FlyingYeti. The campaign, which primarily targeted Ukrainian entities, leveraged a WinRAR vulnerability (CVE-2023-38831) to deliver COOKBOX malware. FlyingYeti’s strategy involved exploiting concerns over potential housing and utilities access by enticing targets with debt-themed lures. These lures, distributed through email, directed recipients to download malicious files from a compromised GitHub page impersonating the Kyiv Komunalka website.
Upon interaction, the campaign tricked users into downloading a RAR file, which, when executed, exploited the WinRAR vulnerability to install the COOKBOX malware. This malware, a PowerShell-based tool, is designed to persist on infected devices, allowing FlyingYeti to execute further malicious activities. The malware communicates with its command-and-control (C2) server using dynamic DNS domains to receive and execute additional PowerShell cmdlets, facilitating the installation of more payloads and granting control over the victim’s system.
Cloudflare’s threat intelligence team, Cloudforce One, identified the use of Cloudflare Workers and GitHub in the campaign’s infrastructure. This highlights the sophisticated tactics employed by FlyingYeti, including the use of cloud-based platforms for staging and managing malicious content. The ongoing conflict in Ukraine has seen an uptick in cyber activities, with various threat actors, including advanced persistent threat (APT) groups, intensifying their efforts to compromise Ukrainian systems.
In response to these threats, CERT-UA has issued warnings about the increase in phishing attacks targeting Ukrainian entities. Another financially motivated group, UAC-0006, has been observed using phishing campaigns to deploy SmokeLoader malware, which is subsequently used to install additional threats like TALESHOT. European and U.S. financial organizations have also been targeted by similar campaigns using trojanized software to gain unauthorized remote access. The evolving tactics of these threat actors underscore the critical need for robust cybersecurity measures and vigilance against phishing attempts and software vulnerabilities.
Reference:
