Cloudforce One disrupted FlyingYeti’s latest phishing campaign targeting Ukraine, extending the attacker’s operational timeline from hours to weeks through proactive defense and collaboration with platforms like GitHub and Cloudflare. The operation abused debt-themed lures, a WinRAR CVE-2023-38831 exploit, and COOKBOX PowerShell malware to gain footholds and command-and-control, with mitigations cutting off multiple delivery vectors. #FlyingYeti #COOKBOX #WinRAR #CVE-2023-38831 #Ukraine #Komunalka
Keypoints
- Cloudforce One detected FlyingYeti preparing a phishing espionage campaign aimed at Ukrainian individuals in mid-April 2024.
- The actor’s TTPs align with CERT-UA’s UAC-0149 campaign, including debt-themed lures and malicious COOKBOX payloads.
- Targets would be directed to a spoofed Komunalka page on GitHub, leading to a malicious RAR delivery chain.
- The RAR payload exploited CVE-2023-38831 in WinRAR to execute a malicious CMD file containing COOKBOX PowerShell malware.
- COOKBOX then connected to a DDNS-based C2 (postdock.serveftp.com), awaiting PowerShell commands to run.
- Cloudforce One’s mitigations—takedown of the GitHub repo and associated Workers, real-time monitoring, and platform coordination—extended the campaign’s timeline to weeks and curtailed its effectiveness.
MITRE Techniques
- [T1566.002] Spearphishing Link – The disrupted phishing campaign would have directed targets to an actor-controlled GitHub page at hxxps[:]//komunalka[.]github[.]io, which is a spoofed version of the Kyiv Komunalka communal housing site – “The disrupted phishing campaign would have directed FlyingYeti targets to an actor-controlled GitHub page at hxxps[:]//komunalka[.]github[.]io, which is a spoofed version of the Kyiv Komunalka communal housing site.”
- [T1203] Exploitation for Client Execution – The WinRAR vulnerability CVE-2023-38831 was used to cause the execution of a malicious CMD file inside the archive – “The WinRAR vulnerability CVE-2023-38831… results in the execution of the malicious CMD.”
- [T1059.001] PowerShell – The CMD file loads the COOKBOX PowerShell malware, which persists on the host and awaits PowerShell cmdlets to run – “The CMD file contains the FlyingYeti PowerShell malware known as COOKBOX. The malware… will subsequently run.”
- [T1105] Ingress Tool Transfer – The malicious RAR file was fetched from remote sources (GitHub/GitHubusercontent) and downloaded to the target – “the Worker fetches the RAR file from hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rar, which is then downloaded on the target’s device.”
- [T1071.004] DNS – The COOKBOX C2 used a DDNS domain postdock[.]serveftp[.]com for command and control – “will make requests to the DDNS domain postdock[.]serveftp[.]com for C2.”
Indicators of Compromise
- [Filename] RAR and documents used in the campaign – Заборгованість по ЖКП.rar, Рахунок на оплату.pdf, Реструктуризація боргу за житлово комунальні послуги.docx, Угода користувача.docx
- [SHA256 Hash] Example hashes from the RAR contents – a0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314, 0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59
- [Domain / URL] Key infrastructure and phishing hosts – komunalka.github.io, hxxps://github.com/komunalka/komunalka.github.io, worker-polished-union-f396.vqu89698.workers.dev, raw.githubusercontent.com/kudoc8989/project/main/Заборгованість по ЖКП.rar, 1014.filemail.com, pixeldrain.com, canarytokens.com, postdock.serveftp.com
Read more: https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine