FlyingYeti Exploits WinRAR Vulnerability For Targeted Malware Attacks

Ever since Russia’s invasion of Ukraine on February 24, 2022, there have been heavy tensions between the nations and worldwide.

After this incident, Ukraine imposed an eviction and termination moratorium on utility services for unpaid debt, ending in January 2024.

However, this particular period was utilized by a threat actor who is identified as “FlyingYeti”.

This threat actor used the anxiety among Ukrainian citizens about the unpaid debt and potential loss of access to housing and conducted a debt-themed phishing campaign to lure victims into potentially downloading a malware file onto their systems. 

This malware was a PowerShell malware known as “COOKBOX” which enabled these threat actors to install additional payloads and control over the victim’s system.

Additionally, the phishing campaign used GitHub servers and Cloudflare workers alongside a WinRAR vulnerability (CVE-2023-38831).

Threat Actor Analysis

According to the reports shared with Cyber Security News, the FlyingYeti threat actor’s activities overlaps with a previously identified threat actor known as UAC-0149 who used to target Ukrainian Defense entities with the same malware during the fall of 2023.

Between mid-April to mid-May 2024, this FlyingYeti threat actor has been observed to be conducting reconnaissance activity against their victims that was likely to be used in a campaign which was intended to be launched during Easter.

This threat actor uses dynamic DNS for their infrastructure and uses cloud-based platforms for hosting their malware and C2 servers.

FlyingYeti is likely attributed to Russia-aligned threat groups that primarily focus on targeting Ukrainian Military Entities. 

This attribution was speculated due to the comments in the codes which were written in Russian language and the operational hours for this threat actor happens in the UTC +3 Time zone (3 Russian Places are present in this time zone).

Campaign Analysis

The reconnaissance activity observed in April was targeted on payment processes for Ukrainian communal housing and utility services.

On April 22, 2024, the survey was targeted on changes made in 2016 when QR codes were introduced in payment notices. 

On the same day, reconnaissance was also conducted regarding the current developments related to housing and utility debt in Ukraine.

On April 25, 2024, the reconnaissance activity was related to the legal basis of restructuring housing debt in Ukraine and the debt involving utilities such as gas and electricity.

These activities were likely because of the payment-related lures, which have higher chances of success against Ukrainian Individuals.

Phishing Campaign And RAR Malware Analysis

Researchers at Cloudflare disrupted the phishing campaign that was about to be conducted for Easter.

On analyzing the phishing campaign code, it was found that the threat actors were using a spoofed version of the Kyiv Komunalka communal housing site, which functions as the payment processor for Kyiv residents.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

Kyiv Komunalka allows users to pay utilities like gas, electricity, telephone, internet, fees, and FInes, as well as donations to Ukraine’s defense forces.

The phishing campaign was about to be conducted via phishing email or an encrypted signal message, which likely contained the GitHub page link.

This page, when visited by victims, will display a large green button that will prompt the users to download the payment invoice document under the name “Рахунок.docx” (“Invoice.docx”).

However, originally, the button will download a malicious RAR archive “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Spoofed website (Source: Cloudflare)

This RAR archive will contain multiple files, including a file with a name that contains a Unicode character “U+201F” that appears as a whitespace between the filename and the extension.

This file appears as a PDF document, which is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).

Malicious WinRAR Archive (Source: Cloudflare)

This RAR, when decompressed, will extract the malicious PDF file, which will exploit the WinRAR vulnerability CVE-2023-38831.

Finally, the COOKBOX PowerShell malware gets executed that will persist on the computer, enabling the threat actors to gain permanent access to the affected device.

When this COOKBOX malware is installed, it will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run. 

Further there were additional documents present in the RAR archive that serve as a decoy document. These documents will contain hidden tracking links using the Canary Tokens service.

Decoy Document (Source: Cloudflare)

Indicators Of Compromise

FilenameSHA256 HashDescription
Заборгованість по ЖКП.rara0a294f85c8a19be048ffcc05ede6fd5a7ac5e2f0032a3ca0050dc1ae960c314RAR archive
Рахунок на оплату.pdf                                                                                 .cmd0cca8f795c7a81d33d36d5204fcd9bc73bdc2af7de315c1449cbc3551ef4fb59COOKBOX Sample (contained in RAR archive)
Реструктуризація боргу за житлово комунальні послуги.docx915721b94e3dffa6cef3664532b586be6cf989fec923b26c62fdaf201ee81d2cBenign Word Document with Tracking Link (contained in RAR archive)
Угода користувача.docx79a9740f5e5ea4aa2157d9d96df34ee49a32e2d386fe55fedfd1aa33e151c06dBenign Word Document with Tracking Link (contained in RAR archive)
Рахунок на оплату.pdf19e25456c2996ded3e29577b609de54a2bef90dad8f868cdad795c18df05a79bRandom Binary Data (contained in RAR archive)
Заборгованість по ЖКП станом на 26.04.24.docxe0d65e2d36afd3db1b603f10e0488cee3f58ade24d8abc6bee240314d8696708Random Binary Data (contained in RAR archive)
Domain / URLDescription
komunalka[.]github[.]ioPhishing page
hxxps[:]//github[.]com/komunalka/komunalka[.]github[.]ioPhishing page
hxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]devWorker that fetches malicious RAR file
hxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по ЖКП.rarDelivery of malicious RAR file
hxxps[:]//1014[.]filemail[.]com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6Dummy payload
hxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download=Dummy payload
hxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.jsTracking link
hxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.htmlTracking link
postdock[.]serveftp[.]comCOOKBOX C2

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago