FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

Cyber Security

Products You May Like

May 30, 2024NewsroomCyber Attack / Malware

Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine.

“The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,” Cloudflare’s threat intelligence team Cloudforce One said in a new report published today.

“If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.”

FlyingYeti is the denomination used by the web infrastructure company to track an activity cluster that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the moniker UAC-0149.


Previous attacks disclosed by the cybersecurity agency have involved the use of malicious attachments sent via the Signal instant messaging app to deliver COOKBOX, a PowerShell-based malware capable of loading and executing cmdlets.

The latest campaign detected by Cloudforce One in mid-April 2024 involves the use of Cloudflare Workers and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.

The company described the threat actor as primarily focused on targeting Ukrainian military entities, adding it utilizes dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for staging malicious content and for command-and-control (C2) purposes.

The email messages have been observed employing debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub page (komunalka.github[.]io) that impersonates the Kyiv Komunalka website and instructs them to download a Microsoft Word file (“Рахунок.docx”).

But in reality, clicking on the download button in the page results in the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), but only after evaluating the HTTP request to a Cloudflare Worker. The RAR file, once launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.

“The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare said.

The development comes as CERT-UA warned of a spike in phishing attacks from a financially motivated group known as UAC-0006 that are engineered to drop the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT.


Phishing campaigns have also set their sights on European and U.S. financial organizations to deliver a legitimate Remote Monitoring and Management (RMM) software called SuperOps by packing its MSI installer within a trojanized version of the popular Minesweeper game.

“Running this program on a computer will provide unauthorized remote access to the computer to third-parties,” CERT-UA said, attributing it to a threat actor called UAC-0188.

The disclosure also follows a report from Flashpoint, which revealed that Russian advanced persistent threat (APT) groups are simultaneously evolving and refining their tactics as well as expanding their targeting.

“They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces,” the company said last week. “The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers
Xiaomi Watch S4 Sport Confirmed to Launch in China on July 19: What We Know So Far
Elon Musk endorses Donald Trump shortly after ex-president injured by shots fired at rally
iQoo Z9 Turbo+ Launch Timeline Leaked, Key Specifications Including MediaTek Dimensity 9300+ Chipset Tipped

Leave a Reply

Your email address will not be published. Required fields are marked *