FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks


Ever since Russia’s invasion of Ukraine on February 24, 2022, there have been heavy tensions between the nations and worldwide.

After this incident, Ukraine imposed an eviction and termination moratorium on utility services for unpaid debt, ending in January 2024.

However, this particular period was utilized by a threat actor who is identified as “FlyingYeti”.

This threat actor used the anxiety among Ukrainian citizens about the unpaid debt and potential loss of access to housing and conducted a debt-themed phishing campaign to lure victims into potentially downloading a malware file onto their systems. 

This malware was a PowerShell malware known as “COOKBOX” which enabled these threat actors to install additional payloads and control over the victim’s system.

Additionally, the phishing campaign used GitHub servers and Cloudflare workers alongside a WinRAR vulnerability (CVE-2023-38831).

Threat Actor Analysis

According to the reports shared with Cyber Security News, the FlyingYeti threat actor’s activities overlaps with a previously identified threat actor known as UAC-0149 who used to target Ukrainian Defense entities with the same malware during the fall of 2023.

Between mid-April to mid-May 2024, this FlyingYeti threat actor has been observed to be conducting reconnaissance activity against their victims that was likely to be used in a campaign which was intended to be launched during Easter.

This threat actor uses dynamic DNS for their infrastructure and uses cloud-based platforms for hosting their malware and C2 servers.

FlyingYeti is likely attributed to Russia-aligned threat groups that primarily focus on targeting Ukrainian Military Entities. 

This attribution was speculated due to the comments in the codes which were written in Russian language and the operational hours for this threat actor happens in the UTC +3 Time zone (3 Russian Places are present in this time zone).

Campaign Analysis

The reconnaissance activity observed in April was targeted on payment processes for Ukrainian communal housing and utility services.

On April 22, 2024, the survey was targeted on changes made in 2016 when QR codes were introduced in payment notices. 

On the same day, reconnaissance was also conducted regarding the current developments related to housing and utility debt in Ukraine.

On April 25, 2024, the reconnaissance activity was related to the legal basis of restructuring housing debt in Ukraine and the debt involving utilities such as gas and electricity.

These activities were likely because of the payment-related lures, which have higher chances of success against Ukrainian Individuals.

Phishing Campaign And RAR Malware Analysis

Researchers at Cloudflare disrupted the phishing campaign that was about to be conducted for Easter.

On analyzing the phishing campaign code, it was found that the threat actors were using a spoofed version of the Kyiv Komunalka communal housing site, which functions as the payment processor for Kyiv residents.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

Kyiv Komunalka allows users to pay utilities like gas, electricity, telephone, internet, fees, and FInes, as well as donations to Ukraine’s defense forces.

The phishing campaign was about to be conducted via phishing email or an encrypted signal message, which likely contained the GitHub page link.

This page, when visited by victims, will display a large green button that will prompt the users to download the payment invoice document under the name “Рахунок.docx” (“Invoice.docx”).

However, originally, the button will download a malicious RAR archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Spoofed website (Source: Cloudflare)

This RAR archive will contain multiple files, including a file with a name that contains a Unicode character “U+201F” that appears as a whitespace between the filename and the extension.

This file appears as a PDF document, which is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks
Malicious WinRAR Archive (Source: Cloudflare)

This RAR, when decompressed, will extract the malicious PDF file, which will exploit the WinRAR vulnerability CVE-2023-38831.

Finally, the COOKBOX PowerShell malware gets executed that will persist on the computer, enabling the threat actors to gain permanent access to the affected device.

When this COOKBOX malware is installed, it will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run. 

Further there were additional documents present in the RAR archive that serve as a decoy document. These documents will contain hidden tracking links using the Canary Tokens service.

FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks
Decoy Document (Source: Cloudflare)

Indicators Of Compromise

Filename SHA256 Hash Description
Заборгованість по ЖКП.rar a0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314 RAR archive
Рахунок на оплату.pdf                                                                                 .cmd 0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59 COOKBOX Sample (contained in RAR archive)
Реструктуризація боргу за житлово комунальні послуги.docx 915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2c Benign Word Document with Tracking Link (contained in RAR archive)
Угода користувача.docx 79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06d Benign Word Document with Tracking Link (contained in RAR archive)
Рахунок на оплату.pdf 19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79b Random Binary Data (contained in RAR archive)
Заборгованість по ЖКП станом на 26.04.24.docx e0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708 Random Binary Data (contained in RAR archive)
Domain / URL Description
komunalka[.]github[.]io Phishing page
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]io Phishing page
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]dev Worker that fetches malicious RAR file
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rar Delivery of malicious RAR file
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6 Dummy payload
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download= Dummy payload
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.js Tracking link
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.html Tracking link
postdock[.]serveftp[.]com COOKBOX C2

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.



Source link