On Thursday, Cloudflare announced measures to disrupt a prolonged phishing campaign orchestrated by the Russia-aligned threat group known as FlyingYeti, specifically targeting Ukraine.
“The FlyingYeti operation leveraged fears of losing access to housing and utilities by tricking victims into opening malicious files with debt-related themes,” stated Cloudflare’s threat intelligence unit, Cloudforce One, in a report released today.
“Opening these files results in infection with the PowerShell malware known as COOKBOX, enabling FlyingYeti to pursue further objectives, such as deploying additional payloads and commandeering the victim’s system.”
FlyingYeti is the term used by the web infrastructure firm to monitor an activity cluster identified by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0149.
Past incursions revealed by the cybersecurity agency involved sending malicious attachments via the Signal instant messaging app to distribute COOKBOX, a PowerShell-based malware capable of executing cmdlets.
The latest campaign identified by Cloudforce One in mid-April 2024 involved utilizing Cloudflare Workers and GitHub, along with exploiting a WinRAR vulnerability labeled CVE-2023-38831.
The company described the threat actor as primarily targeting Ukrainian military entities, employing dynamic DNS (DDNS) for their infrastructure and utilizing cloud-based platforms for staging malicious content and command-and-control (C2) operations.
The phishing emails have been noted for using debt restructuring and payment-related enticements to lure recipients into clicking on a now-removed GitHub page (komunalka.github[.]io) masquerading as the Kyiv Komunalka website, instructing them to download a Microsoft Word document (“Рахунок.docx”).
However, clicking the download button on the page actually retrieves a RAR archive file (“Заборгованість по ЖКП.rar”) after processing an HTTP request through a Cloudflare Worker. Once launched, the RAR file exploits CVE-2023-38831 to deploy the COOKBOX malware.
“The malware is designed to maintain a presence on the infected device, acting as a foothold. Once installed, this COOKBOX variant contacts the DDNS domain postdock[.]serveftp[.]com for C2, awaiting further PowerShell cmdlets to execute,” Cloudflare explained.
This development coincides with a warning from CERT-UA about a surge in phishing attacks by a financially motivated group known as UAC-0006, which are designed to deliver the SmokeLoader malware, subsequently used to deploy additional malware such as TALESHOT.
Phishing campaigns have also targeted financial organizations in Europe and the U.S., delivering legitimate Remote Monitoring and Management (RMM) software called SuperOps by embedding its MSI installer within a trojanized version of the popular Minesweeper game.
“Running this program on a computer grants unauthorized remote access to third parties,” CERT-UA noted, attributing the campaign to the threat actor UAC-0188.
This disclosure follows a report from Flashpoint, which highlighted that Russian advanced persistent threat (APT) groups are simultaneously evolving their tactics and broadening their targets.
“They are employing new spear-phishing campaigns to exfiltrate data and credentials by deploying malware sold on dark web marketplaces,” the company reported last week. “The most commonly used malware families in these spear-phishing campaigns include Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”
