Cloudflare on Thursday mentioned it took steps to disrupt a month-long phishing marketing campaign orchestrated by a Russia-aligned risk actor referred to as FlyingYeti concentrating on Ukraine.
“The FlyingYeti marketing campaign capitalized on anxiousness over the potential lack of entry to housing and utilities by attractive targets to open malicious information by way of debt-themed lures,” Cloudflare’s risk intelligence staff Cloudforce One mentioned in a brand new report printed in the present day.
“If opened, the information would end in an infection with the PowerShell malware referred to as COOKBOX, permitting FlyingYeti to assist follow-on targets, resembling set up of extra payloads and management over the sufferer’s system.”
FlyingYeti is the denomination utilized by the online infrastructure firm to trace an exercise cluster that the Laptop Emergency Response Group of Ukraine (CERT-UA) is monitoring below the moniker UAC-0149.
Earlier assaults disclosed by the cybersecurity company have concerned using malicious attachments despatched by way of the Sign immediate messaging app to ship COOKBOX, a PowerShell-based malware able to loading and executing cmdlets.
The most recent marketing campaign detected by Cloudforce One in mid-April 2024 includes using Cloudflare Employees and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.
The corporate described the risk actor as primarily targeted on concentrating on Ukrainian navy entities, including it makes use of dynamic DNS (DDNS) for his or her infrastructure and leverages cloud-based platforms for staging malicious content material and for command-and-control (C2) functions.
The e-mail messages have been noticed using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub web page (komunalka.github[.]io) that impersonates the Kyiv Komunalka web site and instructs them to obtain a Microsoft Phrase file (“Рахунок.docx”).
However in actuality, clicking on the obtain button within the web page leads to the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), however solely after evaluating the HTTP request to a Cloudflare Employee. The RAR file, as soon as launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.
“The malware is designed to persist on a bunch, serving as a foothold within the contaminated system. As soon as put in, this variant of COOKBOX will make requests to the DDNS area postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare mentioned.
The event comes as CERT-UA warned of a spike in phishing assaults from a financially motivated group referred to as UAC-0006 which might be engineered to drop the SmokeLoader malware, which is then used to deploy extra malware resembling TALESHOT.
Phishing campaigns have additionally set their sights on European and U.S. monetary organizations to ship a official Distant Monitoring and Administration (RMM) software program referred to as SuperOps by packing its MSI installer inside a trojanized model of the favored Minesweeper sport.
“Operating this program on a pc will present unauthorized distant entry to the pc to third-parties,” CERT-UA mentioned, attributing it to a risk actor referred to as UAC-0188.
The disclosure additionally follows a report from Flashpoint, which revealed that Russian superior persistent risk (APT) teams are concurrently evolving and refining their techniques in addition to increasing their concentrating on.
“They’re utilizing new spear-phishing campaigns to exfiltrate information and credentials by delivering malware bought on illicit marketplaces,” the corporate mentioned final week. “Essentially the most prevalent malware households utilized in these spear-phishing campaigns had been Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”