The tensions between Russia and Ukraine have been escalating ever since the invasion on February 24, 2022. This conflict has not only affected the two nations but has also raised concerns globally.
In response to the invasion, Ukraine initiated an eviction and termination moratorium on utility services for unpaid debts, which was intended to last until January 2024. However, during this time, a threat actor known as “FlyingYeti” took advantage of the situation to conduct a phishing campaign targeting Ukrainian citizens who were already anxious about their unpaid debts and the risk of losing access to housing.
The phishing campaign orchestrated by FlyingYeti involved luring victims into downloading a malware file onto their systems. The malware, named “COOKBOX,” was a PowerShell malware that allowed the threat actors to gain control over the victim’s system and install additional payloads.
To carry out this campaign, FlyingYeti utilized GitHub servers and Cloudflare workers, along with exploiting a WinRAR vulnerability (CVE-2023-38831). This sophisticated operation enabled the threat actor to effectively target Ukrainian individuals who were vulnerable due to their concerns about unpaid debts and housing security.
According to reports shared with Cyber Security News, FlyingYeti’s activities bear similarities to a previously identified threat actor known as UAC-0149, which targeted Ukrainian Defense entities with the same malware in the past. FlyingYeti was observed engaging in reconnaissance activities against potential victims in preparation for a campaign intended to be launched during Easter.
The threat actor’s modus operandi involved using dynamic DNS for their infrastructure and cloud-based platforms for hosting their malware and command-and-control servers. The attribution of FlyingYeti to Russia-aligned threat groups was based on the comments in the malicious code, written in the Russian language, and the operational hours coinciding with the UTC +3 Time zone, where three Russian locations are situated.
The reconnaissance activities observed in April focused on payment processes for communal housing and utility services in Ukraine, as well as legal aspects related to housing and utility debts. The phishing campaign disrupted by researchers at Cloudflare was designed to exploit the anxieties of Ukrainian individuals regarding their debts, using a spoofed version of the Kyiv Komunalka communal housing site as a lure.
The phishing email or encrypted signal message contained a link to a GitHub page, pretending to be a payment processor for utilities in Kyiv. Victims who clicked on the link were led to download a malicious RAR archive, which, when decompressed, executed the COOKBOX malware on their systems. This malware persisted on the affected devices, enabling the threat actors to gain permanent access.
Indicators of compromise included various filenames and SHA256 hashes associated with the malicious files, as well as domains used in the phishing campaign. The presence of hidden tracking links using the Canary Tokens service in decoy documents added an extra layer of sophistication to the threat actor’s tactics.
In conclusion, the FlyingYeti threat actor’s targeting of Ukrainian individuals through a debt-themed phishing campaign underscores the ever-evolving nature of cyber threats in the context of international conflicts. It serves as a stark reminder of the need for heightened cybersecurity measures to protect individuals and organizations from falling victim to such malicious activities.