Cloudflare’s intelligence team recently discovered a prolonged phishing campaign orchestrated by the Russia-aligned threat group FlyingYeti. This intricate scheme involved exploiting a WinRAR vulnerability to distribute the Cookbox malware to unsuspecting Ukrainian residents. The attackers preyed on the financial vulnerability of Ukrainian individuals grappling with the aftermath of the government’s decision to lift a moratorium on evictions and utility disconnections due to unpaid debts.
FlyingYeti, also known as UAC-0149 by the Computer Emergency Response Team of Ukraine (CERT-UA), typically focused on targeting military entities within Ukraine but shifted its attention to civilian sectors in this particular operation. The phishing initiative commenced in mid-April, with Cloudforce One intercepting indications of FlyingYeti’s impending actions.
The attackers employed deceptive tactics, using debt-related themes to lure victims into opening malicious files. Upon executing these files, the victim’s system became infected with the Cookbox malware, renowned for its capability to execute additional malicious commands and payloads via PowerShell. Pretending to be representatives from Ukraine’s housing authority, Kyiv Komunalka, the threat actors sent out phishing emails and Signal messages prompting recipients to download a Microsoft Word document, which subsequently extracted a WinRAR archive file from a GitHub-hosted site.
This WinRAR file, exploiting the vulnerability numbered CVE-2023-38831, facilitated the installation of the Cookbox malware onto the victim’s device. The archive contained various files designed to mask their extensions and appear harmless to the unwitting user, including decoy documents resembling debt restructuring agreements embedded with tracking links to monitor user engagement. To ensure the malware’s persistence on the infected device, the threat actors established communication with a dynamic DNS (DDNS) domain for command-and-control (C2) purposes.
Extensive reconnaissance conducted by FlyingYeti on Ukrainian communal housing and utility payment procedures was revealed through Cloudflare’s monitoring efforts. Initially leveraging Cloudflare’s serverless computing platform Workers to retrieve the WinRAR file hosted on GitHub, FlyingYeti strategically relocated the malware to GitHub after their operation was exposed, prompting the removal of the phishing site, the WinRAR file, and the suspension of the associated account following Cloudflare’s alert to GitHub.
Subsequently, FlyingYeti shifted to alternative hosting platforms such as Pixeldrain and Filemail, but continuous interference by Cloudflare extended the duration of the attack and compelled the attackers to modify their strategies repeatedly. These disruptions prompted the malicious actors to abandon the campaign temporarily. However, the possibility of FlyingYeti resurfacing remains imminent, given the history of cybersecurity threats directed at Ukraine amidst its ongoing conflict with Russia.
To combat potential phishing assaults, Cloudflare proposed several fundamental security measures, emphasizing the implementation of a zero-trust architecture and ensuring that systems are updated with the latest WinRAR and Microsoft security patches. Enhanced email security measures to counter phishing and business email compromise (BEC) threats were also recommended, along with the utilization of browser isolation to segregate messaging applications from the primary network. Furthermore, the implementation of data loss prevention policies and running endpoint detection and response (EDR) tools like Microsoft Defender for Endpoint can heighten network security and bolster defenses against future cyber threats.
In conclusion, the FlyingYeti phishing campaign highlights the importance of proactive cybersecurity measures and the constant vigilance required to safeguard against evolving threats in the digital landscape. By staying abreast of security updates, implementing robust security protocols, and employing advanced threat detection mechanisms, organizations and individuals can fortify their defenses against sophisticated cyber attacks.