Cloudflare on Thursday mentioned it took steps to disrupt a month-long phishing marketing campaign orchestrated by a Russia-aligned risk actor referred to as FlyingYeti focusing on Ukraine.
“The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures,” Cloudflare’s risk intelligence workforce Cloudforce One mentioned in a brand new report printed right this moment.
“If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim’s system.”
FlyingYeti is the denomination utilized by the net infrastructure firm to trace an exercise cluster that the Pc Emergency Response Workforce of Ukraine (CERT-UA) is monitoring beneath the moniker UAC-0149.
Earlier assaults disclosed by the cybersecurity company have concerned using malicious attachments despatched by way of the Sign prompt messaging app to ship COOKBOX, a PowerShell-based malware able to loading and executing cmdlets.
The newest marketing campaign detected by Cloudforce One in mid-April 2024 includes using Cloudflare Employees and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.
The corporate described the risk actor as primarily centered on focusing on Ukrainian army entities, including it makes use of dynamic DNS (DDNS) for his or her infrastructure and leverages cloud-based platforms for staging malicious content material and for command-and-control (C2) functions.
The e-mail messages have been noticed using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub web page (komunalka.github[.]io) that impersonates the Kyiv Komunalka web site and instructs them to obtain a Microsoft Phrase file (“Рахунок.docx”).
However in actuality, clicking on the obtain button within the web page leads to the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), however solely after evaluating the HTTP request to a Cloudflare Employee. The RAR file, as soon as launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.
“The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare mentioned.
The event comes as CERT-UA warned of a spike in phishing assaults from a financially motivated group often called UAC-0006 which might be engineered to drop the SmokeLoader malware, which is then used to deploy further malware resembling TALESHOT.
Phishing campaigns have additionally set their sights on European and U.S. monetary organizations to ship a legit Distant Monitoring and Administration (RMM) software program referred to as SuperOps by packing its MSI installer inside a trojanized model of the favored Minesweeper sport.
“Running this program on a computer will provide unauthorized remote access to the computer to third-parties,” CERT-UA mentioned, attributing it to a risk actor referred to as UAC-0188.
The disclosure additionally follows a report from Flashpoint, which revealed that Russian superior persistent risk (APT) teams are concurrently evolving and refining their techniques in addition to increasing their focusing on.
“They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces,” the corporate mentioned final week. “The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”
