Cloudflare has revealed that it disrupted a phishing campaign orchestrated by a group named FlyingYeti targeting Ukraine. The campaign aimed to exploit anxiety over housing and utilities by tricking targets into opening malicious files through debt-themed lures. These files contained the COOKBOX malware, allowing FlyingYeti to gain control over the victim’s system and execute further malicious activities.
The threat actor, FlyingYeti, is being tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0149. The attacks involved the delivery of COOKBOX malware via the Signal app using PowerShell commands.
The recent campaign detected in April 2024 utilized Cloudflare Workers, GitHub, and exploited a WinRAR vulnerability known as CVE-2023-38831. The group primarily targets Ukrainian military entities, using dynamic DNS for infrastructure and cloud-based platforms for malicious content and command-and-control purposes.
Phishing emails in this campaign enticed recipients with debt-related lures, leading them to a fake Kyiv Komunalka website on GitHub. Upon clicking on a download link, a RAR file weaponizing CVE-2023-38831 was retrieved, infecting the victim’s system with COOKBOX malware. Cloudflare noted that this variant of COOKBOX is designed to persist on the host device and establish a connection with a DDNS domain for C2 communication.
In addition to this campaign, CERT-UA warned of another financially motivated group, UAC-0006, using BunnyLoader malware to drop SmokeLoader and TALESHOT malware. These phishing attacks are evolving to target European and U.S. financial organizations and employ various tactics, including trojanizing legitimate software installers.
Overall, the cybersecurity landscape is witnessing an increase in spear-phishing campaigns by Russian APT groups, with a focus on exfiltrating data and credentials using malware such as Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.
