Saturday, June 22, 2024

FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks

Ever since Russia’s invasion of Ukraine on February 24, 2022, there have been heavy tensions between the nations and worldwide.

After this incident, Ukraine imposed an eviction and termination moratorium on utility services for unpaid debt, ending in January 2024.

However, this particular period was utilized by a threat actor who is identified as “FlyingYeti”.

This threat actor used the anxiety among Ukrainian citizens about the unpaid debt and potential loss of access to housing and conducted a debt-themed phishing campaign to lure victims into potentially downloading a malware file onto their systems. 

This malware was a PowerShell malware known as “COOKBOX” which enabled these threat actors to install additional payloads and control over the victim’s system.

Additionally, the phishing campaign used GitHub servers and Cloudflare workers alongside a WinRAR vulnerability (CVE-2023-38831).

Threat Actor Analysis

According to the reports shared with Cyber Security News, the FlyingYeti threat actor’s activities overlaps with a previously identified threat actor known as UAC-0149 who used to target Ukrainian Defense entities with the same malware during the fall of 2023.

Between mid-April to mid-May 2024, this FlyingYeti threat actor has been observed to be conducting reconnaissance activity against their victims that was likely to be used in a campaign which was intended to be launched during Easter.

This threat actor uses dynamic DNS for their infrastructure and uses cloud-based platforms for hosting their malware and C2 servers.

FlyingYeti is likely attributed to Russia-aligned threat groups that primarily focus on targeting Ukrainian Military Entities. 

This attribution was speculated due to the comments in the codes which were written in Russian language and the operational hours for this threat actor happens in the UTC +3 Time zone (3 Russian Places are present in this time zone).

Campaign Analysis

The reconnaissance activity observed in April was targeted on payment processes for Ukrainian communal housing and utility services.

On April 22, 2024, the survey was targeted on changes made in 2016 when QR codes were introduced in payment notices. 

On the same day, reconnaissance was also conducted regarding the current developments related to housing and utility debt in Ukraine.

On April 25, 2024, the reconnaissance activity was related to the legal basis of restructuring housing debt in Ukraine and the debt involving utilities such as gas and electricity.

These activities were likely because of the payment-related lures, which have higher chances of success against Ukrainian Individuals.

Phishing Campaign And RAR Malware Analysis

Researchers at Cloudflare disrupted the phishing campaign that was about to be conducted for Easter.

On analyzing the phishing campaign code, it was found that the threat actors were using a spoofed version of the Kyiv Komunalka communal housing site, which functions as the payment processor for Kyiv residents.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

Kyiv Komunalka allows users to pay utilities like gas, electricity, telephone, internet, fees, and FInes, as well as donations to Ukraine’s defense forces.

The phishing campaign was about to be conducted via phishing email or an encrypted signal message, which likely contained the GitHub page link.

This page, when visited by victims, will display a large green button that will prompt the users to download the payment invoice document under the name “Рахунок.docx” (“Invoice.docx”).

However, originally, the button will download a malicious RAR archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Spoofed website (Source: Cloudflare)

This RAR archive will contain multiple files, including a file with a name that contains a Unicode character “U+201F” that appears as a whitespace between the filename and the extension.

This file appears as a PDF document, which is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

Malicious WinRAR Archive (Source: Cloudflare)

This RAR, when decompressed, will extract the malicious PDF file, which will exploit the WinRAR vulnerability CVE-2023-38831.

Finally, the COOKBOX PowerShell malware gets executed that will persist on the computer, enabling the threat actors to gain permanent access to the affected device.

When this COOKBOX malware is installed, it will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run. 

Further there were additional documents present in the RAR archive that serve as a decoy document. These documents will contain hidden tracking links using the Canary Tokens service.

Decoy Document (Source: Cloudflare)

Indicators Of Compromise

FilenameSHA256 HashDescription
Заборгованість по ЖКП.rara0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314RAR archive
Рахунок на оплату.pdf                                                                                 .cmd0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59COOKBOX Sample (contained in RAR archive)
Реструктуризація боргу за житлово комунальні послуги.docx915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2cBenign Word Document with Tracking Link (contained in RAR archive)
Угода користувача.docx79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06dBenign Word Document with Tracking Link (contained in RAR archive)
Рахунок на оплату.pdf19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79bRandom Binary Data (contained in RAR archive)
Заборгованість по ЖКП станом на 26.04.24.docxe0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708Random Binary Data (contained in RAR archive)
Domain / URLDescription
komunalka[.]github[.]ioPhishing page
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]ioPhishing page
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]devWorker that fetches malicious RAR file
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rarDelivery of malicious RAR file
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6Dummy payload
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download=Dummy payload
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.jsTracking link
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.htmlTracking link
postdock[.]serveftp[.]comCOOKBOX C2

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles