Since Russia’s invasion of Ukraine on February 24, 2022, tensions have been high globally. Following the invasion, Ukraine imposed a moratorium on utility service evictions and terminations for unpaid debt, which ended in January 2024. During this time, a threat actor known as “FlyingYeti” exploited the situation.
“FlyingYeti” exploited Ukrainians’ anxiety over unpaid debt with a debt-themed phishing campaign, spreading the PowerShell malware “COOKBOX” to gain control over victims’ systems. The campaign utilized GitHub servers, Cloudflare workers, and a WinRAR vulnerability (CVE-2023-38831).
FlyingYeti Uses WinRAR Flaw
Reports indicate that FlyingYeti’s activities overlap with UAC-0149, a group targeting Ukrainian defense entities with the same malware in fall 2023. Between mid-April and mid-May 2024, FlyingYeti conducted reconnaissance for a potential Easter campaign.
They use dynamic DNS and cloud platforms for hosting malware and C2 servers. Likely aligned with Russia, FlyingYeti targets Ukrainian military entities, with Russian code comments and operational hours in the UTC +3 time zone.
In April, FlyingYeti’s reconnaissance targeted Ukrainian communal housing and utility payment processes. On April 22, 2024, they focused on 2016 changes introducing QR codes in payment notices and current developments in housing and utility debt.
On April 25, 2024, reconnaissance focused on the legal basis of restructuring housing debt and utilities like gas and electricity in Ukraine. These actions aimed to exploit payment-related lures, more likely to succeed with Ukrainian individuals.
Cloudflare researchers thwarted a phishing campaign set to launch for Easter. Analysis of the campaign code revealed threat actors using a spoofed version of the Kyiv Komunalka communal housing site, a payment processor for Kyiv residents.
Kyiv Komunalka facilitates payments for utilities, fines, and donations to Ukraine’s defense forces. The phishing campaign was set to deploy via email or encrypted signal message, likely containing a GitHub page link.
This page, when visited, prompts users to download a payment invoice document named “Рахунок.docx” (“Invoice.docx”). However, the actual download is a malicious RAR archive named “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).
The RAR archive will include various files, including one with a filename featuring a Unicode character “U+201F” acting as whitespace between the name and extension. This file seems like a PDF document but is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).
When decompressed, the RAR extracts the malicious PDF, exploiting WinRAR vulnerability CVE-2023-38831. Subsequently, COOKBOX PowerShell malware executes, granting permanent access to the device. Once installed, COOKBOX connects to DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets. Additionally, decoy documents in the RAR contain hidden tracking links via the Canary Tokens service.
Indicators Of Compromise
Filename | SHA256 Hash | Description |
Заборгованість по ЖКП.rar | a0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314 | RAR archive |
Рахунок на оплату.pdf .cmd | 0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59 | COOKBOX Sample (contained in RAR archive) |
Реструктуризація боргу за житлово комунальні послуги.docx | 915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2c | Benign Word Document with Tracking Link (contained in RAR archive) |
Угода користувача.docx | 79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06d | Benign Word Document with Tracking Link (contained in RAR archive) |
Рахунок на оплату.pdf | 19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79b | Random Binary Data (contained in RAR archive) |
Заборгованість по ЖКП станом на 26.04.24.docx | e0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708 | Random Binary Data (contained in RAR archive) |
Domain / URL | Description |
komunalka[.]github[.]io | Phishing page |
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]io | Phishing page |
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]dev | Worker that fetches malicious RAR file |
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rar | Delivery of malicious RAR file |
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6 | Dummy payload |
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download= | Dummy payload |
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.js | Tracking link |
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.html | Tracking link |
postdock[.]serveftp[.]com | COOKBOX C2 |
Leave A Comment