FlyingYeti Exploits WinRAR Vulnerability to Ship COOKBOX Malware in Ukraine

Could 30, 2024NewsroomCyber Assault / Malware

WinRAR Vulnerability

Cloudflare on Thursday mentioned it took steps to disrupt a month-long phishing marketing campaign orchestrated by a Russia-aligned risk actor referred to as FlyingYeti concentrating on Ukraine.

“The FlyingYeti marketing campaign capitalized on anxiousness over the potential lack of entry to housing and utilities by attractive targets to open malicious information by way of debt-themed lures,” Cloudflare’s risk intelligence staff Cloudforce One said in a brand new report revealed as we speak.

“If opened, the information would end in an infection with the PowerShell malware often called COOKBOX, permitting FlyingYeti to assist follow-on aims, similar to set up of extra payloads and management over the sufferer’s system.”

FlyingYeti is the denomination utilized by the online infrastructure firm to trace an exercise cluster that the Pc Emergency Response Group of Ukraine (CERT-UA) is monitoring underneath the moniker UAC-0149.


Earlier assaults disclosed by the cybersecurity company have concerned the usage of malicious attachments despatched by way of the Sign prompt messaging app to ship COOKBOX, a PowerShell-based malware able to loading and executing cmdlets.

The most recent marketing campaign detected by Cloudforce One in mid-April 2024 includes the usage of Cloudflare Staff and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.

The corporate described the risk actor as primarily centered on concentrating on Ukrainian army entities, including it makes use of dynamic DNS (DDNS) for his or her infrastructure and leverages cloud-based platforms for staging malicious content material and for command-and-control (C2) functions.

The e-mail messages have been noticed using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub web page (komunalka.github[.]io) that impersonates the Kyiv Komunalka website and instructs them to obtain a Microsoft Phrase file (“Рахунок.docx”).

However in actuality, clicking on the obtain button within the web page leads to the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), however solely after evaluating the HTTP request to a Cloudflare Employee. The RAR file, as soon as launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.

“The malware is designed to persist on a bunch, serving as a foothold within the contaminated gadget. As soon as put in, this variant of COOKBOX will make requests to the DDNS area postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare mentioned.

The event comes as CERT-UA warned of a spike in phishing assaults from a financially motivated group often called UAC-0006 which are engineered to drop the SmokeLoader malware, which is then used to deploy extra malware similar to TALESHOT.


Phishing campaigns have additionally set their sights on European and U.S. monetary organizations to ship a reliable Distant Monitoring and Administration (RMM) software program referred to as SuperOps by packing its MSI installer inside a trojanized model of the favored Minesweeper recreation.

“Operating this program on a pc will present unauthorized distant entry to the pc to third-parties,” CERT-UA said, attributing it to a risk actor referred to as UAC-0188.

The disclosure additionally follows a report from Flashpoint, which revealed that Russian superior persistent risk (APT) teams are concurrently evolving and refining their techniques in addition to increasing their concentrating on.

“They’re utilizing new spear-phishing campaigns to exfiltrate knowledge and credentials by delivering malware bought on illicit marketplaces,” the corporate said final week. “Probably the most prevalent malware households utilized in these spear-phishing campaigns had been Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.