Cloudflare has announced Thursday that it took steps to disrupt a month-long phishing campaign orchestrated by a cybercriminal group that is aligned with Russia and its infrastructure, called FlyingYeti, which targeted infrastructure in Ukraine.
FlyingYeti: what Cloudflare tells us about the hacking campaign
“The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and public services, tricking victims into opening malicious files via debt-themed lures“, has declared Cloudflare’s threat intelligence team, Cloudforce One, in a new report released today.
“If opened, the files resulted in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support subsequent objectives, such as installing additional payloads and taking control over the victim’s system.”
FlyingYeti’s goals
FlyingYeti is the name used by the web infrastructure company to track a cluster of activities that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the name UAC-0149.
Previous attacks disclosed by the cybersecurity agency involved the use of malicious attachments sent via the Signal instant messaging app to distribute COOKBOXa PowerShell-based malware capable of loading and executing cmdlets.
The latest campaign detected by Cloudforce One in mid-April 2024 involves the use of Cloudflare Workers and GitHub, along with the exploitation of a WinRAR vulnerability tracked as CVE-2023-38831.
The company described the hacking group as primarily focused on targeting Ukrainian military entitiesadding that they use Dynamic DNS (DDNS) for their infrastructure and leverage cloud platforms for staging malicious content and for command and control (C2) purposes.
The FlyingYeti deception: the deceptive link
A typical deception of hackers is the deceptive link and FlyingYeti is absolutely no exception in this; email messages were observed while used lures related to debt restructuring and payments to entice recipients to click on a now-removed GitHub page (komunalka.github[.]io) which impersonated the website of Kyiv Komunalka and instructed them to download a Microsoft Word file (“Рахунок.docx”).
But in reality, clicking on the download button on the page resulted in a RAR archive file (“Заборгованість по ЖКП.rar”), but only after evaluating the HTTP request to a Cloudflare Worker. The RAR file, once launchedexploited CVE-2023-38831 to execute the COOKBOX malware.
“The malware is designed to persist on a host, acting as a foothold into the infected device. Once installed, this variant of COOKBOX will make requests to the postdock DDNS domain[.]serveftp[.]com for the C2, waiting for PowerShell cmdlets that the malware will execute next“Cloudflare said.
Further developments
The development comes as CERT-UA has warned of an increase in phishing attacks by a financially motivated group known as UAC-0006, designed to distribute the SmokeLoader malware, which is then used to deploy additional malware such as TALESHOT.
Phishing campaigns have also targeted European and US financial organizations to distribute legitimate Remote Monitoring and Management (RMM) software called SuperOps, by packaging its MSI installer inside a trojanized version of the popular game Minesweeper.
“Running this program on a computer will provide unauthorized remote access to the computer to third parties“, has stated CERT-UA, attributing it to a cybercriminal group called UAC-0188.
The disclosure also follows a report from Flashpoint, which revealed that Russian advanced persistent threat (APT) groups are simultaneously evolving and refining their tactics, as well as expanding their targets.
“They are using new spear-phishing campaigns to exfiltrate data and credentials by distributing malware sold on illicit markets“, has said the company last week. “The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.“
#FlyingYeti #cyber #threat #Ukraine
