Cloudflare on Thursday stated it took steps to disrupt a month-long phishing marketing campaign orchestrated by a Russia-aligned risk actor known as FlyingYeti concentrating on Ukraine.
“The FlyingYeti marketing campaign capitalized on nervousness over the potential lack of entry to housing and utilities by attractive targets to open malicious recordsdata through debt-themed lures,” Cloudflare’s risk intelligence group Cloudforce One stated in a brand new report revealed at present.
“If opened, the recordsdata would end in an infection with the PowerShell malware generally known as COOKBOX, permitting FlyingYeti to assist follow-on targets, akin to set up of further payloads and management over the sufferer’s system.”
FlyingYeti is the denomination utilized by the net infrastructure firm to trace an exercise cluster that the Pc Emergency Response Staff of Ukraine (CERT-UA) is monitoring below the moniker UAC-0149.
Earlier assaults disclosed by the cybersecurity company have concerned using malicious attachments despatched through the Sign instantaneous messaging app to ship COOKBOX, a PowerShell-based malware able to loading and executing cmdlets.
The newest marketing campaign detected by Cloudforce One in mid-April 2024 entails using Cloudflare Employees and GitHub, alongside the exploitation of WinRAR vulnerability tracked as CVE-2023-38831.
The corporate described the risk actor as primarily centered on concentrating on Ukrainian navy entities, including it makes use of dynamic DNS (DDNS) for his or her infrastructure and leverages cloud-based platforms for staging malicious content material and for command-and-control (C2) functions.
The e-mail messages have been noticed using debt restructuring and payment-related lures to entice recipients into clicking on a now-removed GitHub web page (komunalka.github[.]io) that impersonates the Kyiv Komunalka web site and instructs them to obtain a Microsoft Phrase file (“Рахунок.docx”).
However in actuality, clicking on the obtain button within the web page ends in the retrieval of a RAR archive file (“Заборгованість по ЖКП.rar”), however solely after evaluating the HTTP request to a Cloudflare Employee. The RAR file, as soon as launched, weaponizes CVE-2023-38831 to execute the COOKBOX malware.
“The malware is designed to persist on a bunch, serving as a foothold within the contaminated gadget. As soon as put in, this variant of COOKBOX will make requests to the DDNS area postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run,” Cloudflare stated.
The event comes as CERT-UA warned of a spike in phishing assaults from a financially motivated group generally known as UAC-0006 which can be engineered to drop the SmokeLoader malware, which is then used to deploy further malware akin to TALESHOT.
Phishing campaigns have additionally set their sights on European and U.S. monetary organizations to ship a reputable Distant Monitoring and Administration (RMM) software program known as SuperOps by packing its MSI installer inside a trojanized model of the favored Minesweeper recreation.
“Working this program on a pc will present unauthorized distant entry to the pc to third-parties,” CERT-UA stated, attributing it to a risk actor known as UAC-0188.
The disclosure additionally follows a report from Flashpoint, which revealed that Russian superior persistent risk (APT) teams are concurrently evolving and refining their techniques in addition to increasing their concentrating on.
“They’re utilizing new spear-phishing campaigns to exfiltrate information and credentials by delivering malware bought on illicit marketplaces,” the corporate stated final week. “Probably the most prevalent malware households utilized in these spear-phishing campaigns have been Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.”
