FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

In a sophisticated and alarming development, Cloudflare announced on Thursday that it had taken decisive action to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor known as FlyingYeti. This campaign specifically targeted Ukraine, exploiting a WinRAR vulnerability to deliver the COOKBOX malware.

Phishing Campaign Details
The phishing campaign, as detailed by Cloudflare's threat intelligence team Cloudforce One, exploited fears related to the potential loss of housing and utilities. Using debt-themed lures, the attackers enticed victims into opening malicious files. Once opened, these files would infect the system with the PowerShell malware known as COOKBOX. This malware enables FlyingYeti to install additional payloads and maintain control over the victim's system.

FlyingYeti, tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the moniker UAC-0149, has previously leveraged malicious attachments sent via the Signal instant messaging app to distribute COOKBOX. This PowerShell-based malware is capable of loading and executing cmdlets.

Exploitation of WinRAR Vulnerability
The latest campaign, detected by Cloudforce One in mid-April 2024, utilized Cloudflare Workers and GitHub to exploit the WinRAR vulnerability identified as CVE-2023-38831. The attackers targeted Ukrainian military entities, employing dynamic DNS (DDNS) for their infrastructure and leveraging cloud-based platforms for staging malicious content and command-and-control (C2) operations.

Email messages in this campaign used debt restructuring and payment-related lures to persuade recipients to click on a now-removed GitHub page (komunalka.github[.]io), impersonating the Kyiv Komunalka website. The page instructed users to download a Microsoft Word file ("Рахунок.docx"). However, clicking the download button resulted in retrieving a RAR archive file ("Заборгованість по ЖКП.rar"), which, upon execution, weaponized CVE-2023-38831 to deploy the COOKBOX malware.

Persistence and Command-and-Control
Once installed, COOKBOX persists on the infected device, serving as a foothold. It makes requests to the DDNS domain postdock[.]serveftp[.]com for command-and-control, awaiting further PowerShell cmdlets to execute. This persistence mechanism ensures that the malware remains active and responsive to the attackers' commands.

Broader Context and Additional Threats
This development is part of a broader surge in phishing attacks. CERT-UA has also reported an increase in attacks from a financially motivated group known as UAC-0006, using the SmokeLoader malware to deploy additional threats like TALESHOT. European and U.S. financial organizations are also being targeted with spear-phishing campaigns delivering Remote Monitoring and Management (RMM) software like SuperOps, disguised as popular games like Minesweeper.

A recent report from Flashpoint highlights that Russian advanced persistent threat (APT) groups are evolving their tactics, employing new spear-phishing campaigns to exfiltrate data and credentials using malware from illicit marketplaces. Prominent malware families in these campaigns include Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.

The FlyingYeti campaign underscores the evolving nature of cyber threats and the sophisticated methods employed by threat actors. By exploiting software vulnerabilities and leveraging social engineering tactics, these attackers continue to pose significant risks. It is crucial for organizations and individuals to stay vigilant, maintain updated security measures, and be aware of the latest threat landscapes to protect against such malicious activities.