{"id":164017,"date":"2024-06-02T17:55:20","date_gmt":"2024-06-02T17:55:20","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164017"},"modified":"2024-06-02T17:55:22","modified_gmt":"2024-06-02T17:55:22","slug":"flyingyeti-targets-ukraine","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164017\/hacking\/flyingyeti-targets-ukraine.html","title":{"rendered":"FlyingYeti targets Ukraine using WinRAR exploit to deliver COOKBOX Malware"},"content":{"rendered":"
<\/div>\n

Russia-linked threat actor FlyingYeti\u00a0is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX.<\/h2>\n\n\n\n

Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149)\u00a0targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.\u00a0<\/p>\n\n\n\n

At the beginning of Russia\u2019s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim\u2019s system.<\/p>\n\n\n\n

The threat actors exploited the WinRAR vulnerability CVE-2023-38831<\/a> to infect targets with malware.<\/p>\n\n\n\n

Cloudflare states that FlyingYeti’s tactics, techniques, and procedures (TTPs) are similar to the ones detailed<\/a> by Ukraine CERT while analyzing UAC-0149 cluster.<\/gwmw><\/p>\n\n\n\n

UAC-0149\u00a0targeted<\/a> Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.<\/p>\n\n\n\n

“The threat actor uses dynamic DNS (DDNS<\/a>) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2).” reads the report<\/a> published by Cloudflare. “Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities.”<\/em><\/p>\n\n\n\n

Threat actors targeted users with a spoofed version of the Kyiv Komunalka communal housing site (https:\/\/www.komunalka.ua), hosted on an actor-controlled GitHub page (hxxps[:]\/\/komunalka[.]github[.]io). Komunalka is a payment processor for utilities and other services in the Kyiv region.<\/p>\n\n\n\n

FlyingYeti likely directed targets to this page via phishing emails or encrypted Signal messages. On the spoofed site, a large green button prompted users to download a document named \u201c\u0420\u0430\u0445\u0443\u043d\u043e\u043a.docx\u201d (\u201cInvoice.docx\u201d), which instead downloaded a malicious archive titled \u201c\u0417\u0430\u0431\u043e\u0440\u0433\u043e\u0432\u0430\u043d\u0456\u0441\u0442\u044c \u043f\u043e \u0416\u041a\u041f.rar\u201d (\u201cDebt for housing and utility services.rar\u201d).<\/p>\n\n\n\n

\"FlyingYeti<\/a><\/figure>\n\n\n\n

Once the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.<\/p>\n\n\n\n

The RAR archive contains multiple files, including one with the Unicode character \u201cU+201F,\u201d which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (\u201c\u0420\u0430\u0445\u0443\u043d\u043e\u043a \u043d\u0430 \u043e\u043f\u043b\u0430\u0442\u0443.pdf[unicode character U+201F].cmd\u201d) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.<\/gwmw><\/p>\n\n\n\n

“The CMD file contains the Flying Yeti PowerShell malware known as\u00a0COOKBOX<\/a>. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell\u00a0cmdlets<\/a>\u00a0that the malware will subsequently run.” continues the report. “Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the\u00a0Canary Tokens<\/a>\u00a0service.”<\/em><\/p>\n\n\n\n

<\/gwmw><\/gwmw>The report also provide recommendations and Indicators of Compromise (IoCs).<\/gwmw><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0FlyingYeti)<\/strong><\/p>\n\n\n\n

<\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"

Russia-linked threat actor FlyingYeti\u00a0is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX. Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149)\u00a0targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.\u00a0 At the beginning of Russia\u2019s invasion of Ukraine […]<\/p>\n","protected":false},"author":1,"featured_media":164024,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6054,3323,5,2624],"tags":[15130,15129,4112,9508,9506,10918,30,3376,687,45,841,1533,1858,1970],"class_list":["post-164017","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apt","category-breaking-news","category-hacking","category-mobile-2","tag-cookbox","tag-flyingyeti","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-malware-2","tag-phishing-campaign","tag-pierluigi-paganini","tag-russia","tag-security-affairs","tag-security-news","tag-ukraine","tag-winrar"],"yoast_head":"\n杭州江阴科强工业胶带有限公司