Ever since Russia’s invasion of Ukraine on February 24, 2022, there have been heavy tensions between the nations and worldwide.
After this incident, Ukraine imposed an eviction and termination moratorium on utility services for unpaid debt, ending in January 2024.
However, this particular period was utilized by a threat actor who is identified as “FlyingYeti”.
This threat actor used the anxiety among Ukrainian citizens about the unpaid debt and potential loss of access to housing and conducted a debt-themed phishing campaign to lure victims into potentially downloading a malware file onto their systems.
This malware was a PowerShell malware known as “COOKBOX” which enabled these threat actors to install additional payloads and control over the victim’s system.
Additionally, the phishing campaign used GitHub servers and Cloudflare workers alongside a WinRAR vulnerability (CVE-2023-38831).
Threat Actor Analysis
According to the reports shared with Cyber Security News, the FlyingYeti threat actor’s activities overlaps with a previously identified threat actor known as UAC-0149 who used to target Ukrainian Defense entities with the same malware during the fall of 2023.
Between mid-April to mid-May 2024, this FlyingYeti threat actor has been observed to be conducting reconnaissance activity against their victims that was likely to be used in a campaign which was intended to be launched during Easter.
This threat actor uses dynamic DNS for their infrastructure and uses cloud-based platforms for hosting their malware and C2 servers.
FlyingYeti is likely attributed to Russia-aligned threat groups that primarily focus on targeting Ukrainian Military Entities.
This attribution was speculated due to the comments in the codes which were written in Russian language and the operational hours for this threat actor happens in the UTC +3 Time zone (3 Russian Places are present in this time zone).
Campaign Analysis
The reconnaissance activity observed in April was targeted on payment processes for Ukrainian communal housing and utility services.
On April 22, 2024, the survey was targeted on changes made in 2016 when QR codes were introduced in payment notices.
On the same day, reconnaissance was also conducted regarding the current developments related to housing and utility debt in Ukraine.
On April 25, 2024, the reconnaissance activity was related to the legal basis of restructuring housing debt in Ukraine and the debt involving utilities such as gas and electricity.
These activities were likely because of the payment-related lures, which have higher chances of success against Ukrainian Individuals.
Phishing Campaign And RAR Malware Analysis
Researchers at Cloudflare disrupted the phishing campaign that was about to be conducted for Easter.
On analyzing the phishing campaign code, it was found that the threat actors were using a spoofed version of the Kyiv Komunalka communal housing site, which functions as the payment processor for Kyiv residents.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
Kyiv Komunalka allows users to pay utilities like gas, electricity, telephone, internet, fees, and FInes, as well as donations to Ukraine’s defense forces.
The phishing campaign was about to be conducted via phishing email or an encrypted signal message, which likely contained the GitHub page link.
This page, when visited by victims, will display a large green button that will prompt the users to download the payment invoice document under the name “Рахунок.docx” (“Invoice.docx”).
However, originally, the button will download a malicious RAR archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).
This RAR archive will contain multiple files, including a file with a name that contains a Unicode character “U+201F” that appears as a whitespace between the filename and the extension.
This file appears as a PDF document, which is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).
.webp)
This RAR, when decompressed, will extract the malicious PDF file, which will exploit the WinRAR vulnerability CVE-2023-38831.
Finally, the COOKBOX PowerShell malware gets executed that will persist on the computer, enabling the threat actors to gain permanent access to the affected device.
When this COOKBOX malware is installed, it will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.
Further there were additional documents present in the RAR archive that serve as a decoy document. These documents will contain hidden tracking links using the Canary Tokens service.
.webp)
Indicators Of Compromise
| Filename | SHA256 Hash | Description |
| Заборгованість по ЖКП.rar | a0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314 | RAR archive |
| Рахунок на оплату.pdf .cmd | 0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59 | COOKBOX Sample (contained in RAR archive) |
| Реструктуризація боргу за житлово комунальні послуги.docx | 915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2c | Benign Word Document with Tracking Link (contained in RAR archive) |
| Угода користувача.docx | 79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06d | Benign Word Document with Tracking Link (contained in RAR archive) |
| Рахунок на оплату.pdf | 19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79b | Random Binary Data (contained in RAR archive) |
| Заборгованість по ЖКП станом на 26.04.24.docx | e0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708 | Random Binary Data (contained in RAR archive) |
| Domain / URL | Description |
| komunalka[.]github[.]io | Phishing page |
| hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]io | Phishing page |
| hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]dev | Worker that fetches malicious RAR file |
| hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rar | Delivery of malicious RAR file |
| hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6 | Dummy payload |
| hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download= | Dummy payload |
| hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.js | Tracking link |
| hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.html | Tracking link |
| postdock[.]serveftp[.]com | COOKBOX C2 |
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.