FlyingYeti Uses WinRAR Flaw for Malware Attacks

FlyingYeti Uses WinRAR Flaw for Malware Attacks

Since Russia’s invasion of Ukraine on February 24, 2022, tensions have been high globally. Following the invasion, Ukraine imposed a moratorium on utility service evictions and terminations for unpaid debt, which ended in January 2024. During this time, a threat actor known as “FlyingYeti” exploited the situation.

“FlyingYeti” exploited Ukrainians’ anxiety over unpaid debt with a debt-themed phishing campaign, spreading the PowerShell malware “COOKBOX” to gain control over victims’ systems. The campaign utilized GitHub servers, Cloudflare workers, and a WinRAR vulnerability (CVE-2023-38831).

FlyingYeti Uses WinRAR Flaw

Reports indicate that FlyingYeti’s activities overlap with UAC-0149, a group targeting Ukrainian defense entities with the same malware in fall 2023. Between mid-April and mid-May 2024, FlyingYeti conducted reconnaissance for a potential Easter campaign.

They use dynamic DNS and cloud platforms for hosting malware and C2 servers. Likely aligned with Russia, FlyingYeti targets Ukrainian military entities, with Russian code comments and operational hours in the UTC +3 time zone.

In April, FlyingYeti’s reconnaissance targeted Ukrainian communal housing and utility payment processes. On April 22, 2024, they focused on 2016 changes introducing QR codes in payment notices and current developments in housing and utility debt.

On April 25, 2024, reconnaissance focused on the legal basis of restructuring housing debt and utilities like gas and electricity in Ukraine. These actions aimed to exploit payment-related lures, more likely to succeed with Ukrainian individuals.

Cloudflare researchers thwarted a phishing campaign set to launch for Easter. Analysis of the campaign code revealed threat actors using a spoofed version of the Kyiv Komunalka communal housing site, a payment processor for Kyiv residents.

Kyiv Komunalka facilitates payments for utilities, fines, and donations to Ukraine’s defense forces. The phishing campaign was set to deploy via email or encrypted signal message, likely containing a GitHub page link.

This page, when visited, prompts users to download a payment invoice document named “Рахунок.docx” (“Invoice.docx”). However, the actual download is a malicious RAR archive named “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

The RAR archive will include various files, including one with a filename featuring a Unicode character “U+201F” acting as whitespace between the name and extension. This file seems like a PDF document but is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

When decompressed, the RAR extracts the malicious PDF, exploiting WinRAR vulnerability CVE-2023-38831. Subsequently, COOKBOX PowerShell malware executes, granting permanent access to the device. Once installed, COOKBOX connects to DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets. Additionally, decoy documents in the RAR contain hidden tracking links via the Canary Tokens service.

Indicators Of Compromise

FilenameSHA256 HashDescription
Заборгованість по ЖКП.rara0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314RAR archive
Рахунок на оплату.pdf                                                                                 .cmd0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59COOKBOX Sample (contained in RAR archive)
Реструктуризація боргу за житлово комунальні послуги.docx915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2cBenign Word Document with Tracking Link (contained in RAR archive)
Угода користувача.docx79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06dBenign Word Document with Tracking Link (contained in RAR archive)
Рахунок на оплату.pdf19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79bRandom Binary Data (contained in RAR archive)
Заборгованість по ЖКП станом на 26.04.24.docxe0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708Random Binary Data (contained in RAR archive)
Domain / URLDescription
komunalka[.]github[.]ioPhishing page
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]ioPhishing page
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]devWorker that fetches malicious RAR file
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rarDelivery of malicious RAR file
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6Dummy payload
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download=Dummy payload
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.jsTracking link
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.htmlTracking link
postdock[.]serveftp[.]comCOOKBOX C2

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!