Analysis Summary

In the wake of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and utility terminations for unpaid debts which ended in January 2024. During this period, a threat actor identified as "FlyingYeti" exploited the anxieties surrounding unpaid debts through a debt-themed phishing campaign.

This campaign was designed to trick victims into downloading a PowerShell malware known as “COOKBOX,” allowing the attackers to install additional payloads and gain control over the victims' systems. The phishing campaign leveraged GitHub servers, Cloudflare workers, and a WinRAR vulnerability (CVE-2023-38831) to execute their malicious activities.

The activities of FlyingYeti align with those of a previously identified threat actor, UAC-0149, who targeted Ukrainian defense entities with the same malware in the fall of 2023. From mid-April to mid-May 2024, FlyingYeti conducted reconnaissance activities likely in preparation for an Easter campaign. These activities involved dynamic DNS for infrastructure and cloud-based platforms for hosting malware and C2 servers. The group is believed to be Russia-aligned focusing primarily on Ukrainian military entities. This attribution is based on Russian language code comments and operational hours matching the UTC +3 time zone.

The reconnaissance activity in April targeted payment processes for Ukrainian communal housing and utility services. This included surveys on changes made in 2016 when QR codes were introduced in payment notices and developments related to housing and utility debt. The focus on payment-related lures increased the chances of success against Ukrainian individuals. Specific reconnaissance on April 25, 2024, was related to the legal restructuring of housing debt and utilities like gas and electricity, likely intended to craft more convincing phishing emails.

Researchers disrupted the planned phishing campaign which spoofed the Kyiv Komunalka communal housing site. This site handles payments for various utilities and fees. The phishing emails or encrypted signal messages contained links to a GitHub page with a large green button, prompting users to download a payment invoice document named “Рахунок.docx” (“Invoice.docx”).

Instead, the button downloaded a malicious RAR archive named “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”). The malicious RAR archive contained multiple files including a file with a Unicode character making it appear as a PDF document. This file was a malicious CMD file exploiting the WinRAR vulnerability CVE-2023-38831.

Upon decompression, the COOKBOX PowerShell malware was executed, establishing persistence on the computer and enabling ongoing access for the threat actors. The malware communicated with the C2 domain awaiting PowerShell cmdlets to execute. Additionally, the RAR archive contained decoy documents with hidden tracking links using the Canary Tokens service to further the attackers' surveillance capabilities.

Impact

• Unauthorized Access
• Cyber Espionage
• Command Execution

Indicators of Compromise

• http://canarytokens.com/stuff/terms/images/k22r2dnjrvjsme8680ojf5ccs/index.html
• http://canarytokens.com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.js
• https://pixeldrain.com/api/file/ZAJxwFFX?download=
• https://1014.filemail.com/api/file/get?filekey=e_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZvmpFzrFA&pk_vid=a3d82455433c8ad11715865826cf18f6
• https://worker-polished-union-f396.vqu89698.workers.dev/
• https://github.com/komunalka/komunalka.github.io

Remediation

• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.