Wednesday, December 18, 2024
HomeCVE/vulnerabilityFlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks

FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks

Published on

SIEM as a Service

Ever since Russia’s invasion of Ukraine on February 24, 2022, there have been heavy tensions between the nations and worldwide.

After this incident, Ukraine imposed an eviction and termination moratorium on utility services for unpaid debt, ending in January 2024.

However, this particular period was utilized by a threat actor who is identified as “FlyingYeti”.

- Advertisement - SIEM as a Service

This threat actor used the anxiety among Ukrainian citizens about the unpaid debt and potential loss of access to housing and conducted a debt-themed phishing campaign to lure victims into potentially downloading a malware file onto their systems. 

This malware was a PowerShell malware known as “COOKBOX” which enabled these threat actors to install additional payloads and control over the victim’s system.

Additionally, the phishing campaign used GitHub servers and Cloudflare workers alongside a WinRAR vulnerability (CVE-2023-38831).

Threat Actor Analysis

According to the reports shared with Cyber Security News, the FlyingYeti threat actor’s activities overlaps with a previously identified threat actor known as UAC-0149 who used to target Ukrainian Defense entities with the same malware during the fall of 2023.

Between mid-April to mid-May 2024, this FlyingYeti threat actor has been observed to be conducting reconnaissance activity against their victims that was likely to be used in a campaign which was intended to be launched during Easter.

This threat actor uses dynamic DNS for their infrastructure and uses cloud-based platforms for hosting their malware and C2 servers.

FlyingYeti is likely attributed to Russia-aligned threat groups that primarily focus on targeting Ukrainian Military Entities. 

This attribution was speculated due to the comments in the codes which were written in Russian language and the operational hours for this threat actor happens in the UTC +3 Time zone (3 Russian Places are present in this time zone).

Campaign Analysis

The reconnaissance activity observed in April was targeted on payment processes for Ukrainian communal housing and utility services.

On April 22, 2024, the survey was targeted on changes made in 2016 when QR codes were introduced in payment notices. 

On the same day, reconnaissance was also conducted regarding the current developments related to housing and utility debt in Ukraine.

On April 25, 2024, the reconnaissance activity was related to the legal basis of restructuring housing debt in Ukraine and the debt involving utilities such as gas and electricity.

These activities were likely because of the payment-related lures, which have higher chances of success against Ukrainian Individuals.

Phishing Campaign And RAR Malware Analysis

Researchers at Cloudflare disrupted the phishing campaign that was about to be conducted for Easter.

On analyzing the phishing campaign code, it was found that the threat actors were using a spoofed version of the Kyiv Komunalka communal housing site, which functions as the payment processor for Kyiv residents.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

Kyiv Komunalka allows users to pay utilities like gas, electricity, telephone, internet, fees, and FInes, as well as donations to Ukraine’s defense forces.

The phishing campaign was about to be conducted via phishing email or an encrypted signal message, which likely contained the GitHub page link.

This page, when visited by victims, will display a large green button that will prompt the users to download the payment invoice document under the name “Рахунок.docx” (“Invoice.docx”).

However, originally, the button will download a malicious RAR archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Spoofed website (Source: Cloudflare)

This RAR archive will contain multiple files, including a file with a name that contains a Unicode character “U+201F” that appears as a whitespace between the filename and the extension.

This file appears as a PDF document, which is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

Malicious WinRAR Archive (Source: Cloudflare)

This RAR, when decompressed, will extract the malicious PDF file, which will exploit the WinRAR vulnerability CVE-2023-38831.

Finally, the COOKBOX PowerShell malware gets executed that will persist on the computer, enabling the threat actors to gain permanent access to the affected device.

When this COOKBOX malware is installed, it will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run. 

Further there were additional documents present in the RAR archive that serve as a decoy document. These documents will contain hidden tracking links using the Canary Tokens service.

Decoy Document (Source: Cloudflare)

Indicators Of Compromise

FilenameSHA256 HashDescription
Заборгованість по ЖКП.rara0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314RAR archive
Рахунок на оплату.pdf                                                                                 .cmd0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59COOKBOX Sample (contained in RAR archive)
Реструктуризація боргу за житлово комунальні послуги.docx915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2cBenign Word Document with Tracking Link (contained in RAR archive)
Угода користувача.docx79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06dBenign Word Document with Tracking Link (contained in RAR archive)
Рахунок на оплату.pdf19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79bRandom Binary Data (contained in RAR archive)
Заборгованість по ЖКП станом на 26.04.24.docxe0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708Random Binary Data (contained in RAR archive)
Domain / URLDescription
komunalka[.]github[.]ioPhishing page
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]ioPhishing page
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]devWorker that fetches malicious RAR file
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rarDelivery of malicious RAR file
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6Dummy payload
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download=Dummy payload
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.jsTracking link
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.htmlTracking link
postdock[.]serveftp[.]comCOOKBOX C2

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...