FlyingYeti Campaign Detection: russian Hackers Exploit CVE-2023-38831 to Deliver COOKBOX Malware in Ongoing Attacks Against Ukraine

In mid-April 2024, CERT-UA warned defenders of repeated adversary attempts to compromise Ukrainian organizations using COOKBOX malware. Defenders observed the ongoing phishing campaign targeting Ukraine and took measures to disrupt the offensive attempts. The identified russia-linked malicious activity is tracked under the moniker FlyingYeti and overlaps with the UAC-0149 operation covered in the CERT-UA#9522 alert.

Detect FlyingYeti Campaign Targeting Ukraine

With continuously escalating geopolitical tensions, the world has entered a full-fledged cyber war characterized by an increasing prevalence of Advanced Persistent Threats (APTs). These sophisticated, state-sponsored cyber espionage groups are primarily aimed at achieving long-term strategic objectives for their sponsoring nations. Among the most active and notorious APT actors are those backed by the russian government. For at least the last decade, russia-backed APTs have used Ukraine as a testing ground for novel TTPs and malware samples, refining their methods before deploying them against high-value targets of interest to the Moscow government.

The FlyingYeti campaign is the latest in a string of cyber-attacks against the Ukrainian public sector, requiring cyber defenders to identify possible malicious activity and strengthen their cyber defense proactively. SOC Prime Platform for collective cyber defense offers a set of curated detection algorithms to identify FlyingYeti attacks at the earliest stages of their development. Just hit the Explore Detections button below and immediately drill down to a list of rules compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK® framework. Also, detections are enriched with CTI references and other extensive metadata to smooth out threat investigation. 

Explore Detections

In view that Clouflare’s inquiry points out that the latest FlyingYeti campaign relies on similar TTPs as those revealed by CERT-UA in their investigation of the UAC-0149 attacks against Ukraine, security researchers might analyze the campaign retrospectively. Dive into a list of Sigma rules addressing the relevant CERT-UA#9522 alert using a link below or browse for the relevant detection stack by applying the custom tag based on the CERT-UA alert ID “CERT-UA#9522”.

Sigma Rules to Detect UAC-0149 Activity Covered in CERT-UA#9522 Alert

Searching for a broader coverage of UAC-0149 (aka FlyingYeti)? Use this link to immediately access an extensive rule collection of the group’s TTPs and behavior patterns to have all the pieces of the puzzle for your threat detection & hunting operations. 

FlyingYeti Phishing Espionage Campaign Analysis

Cloudflare’s team Cloudforce One has been observing a month-long phishing espionage campaign uncovered by CERT-UA and further implemented steps to thwart the offensive efforts. The ongoing adversary operations are linked to the russia-aligned threat actor FlyingYeti, also tracked as UAC-0149, which has been noticed behind earlier attacks primarily targeting Ukraine’s military sector and leveraging COOKBOX malware, such as a notorious phishing campaign against the Armed Forces of Ukraine. 

FlyingYeti commonly leverages dynamic DNS for its infrastructure and takes advantage of cloud-based platforms for hosting malware C2. The ongoing FlyingYeti campaign exploited fears of losing access to housing and utilities by luring the targeted users into opening debt-themed malicious files. If opened, these weaponized files would infect the system with the PowerShell malware known as COOKBOX, enabling FlyingYeti to pursue further objectives, such as installing additional payloads and gaining control over the victim’s system. Once deployed, COOKBOX malware is intended to persist on a host, establishing a foothold in the compromised device. After installation, the observed COOKBOX iteration reaches out to the DDNS domain postdock[.]serveftp[.]com for C2, expecting PowerShell commands that the malware will execute thereafter. According to Cloudforce One, in the latest campaign, adversaries also took advantage of Cloudflare Workers and GitHub, along with weaponizing the WinRAR vulnerability tracked as CVE-2023-3883. 

For a one-month period, Cloudforce One observed FlyingYeti engaging in reconnaissance activities, creating lures for its phishing campaign, and experimenting with multiple malware variants. Researchers considered early May, following Orthodox Easter, to be the launch date for the phishing campaign. Defenders managed to disrupt FlyingYeti’s operation right after generating the final COOKBOX payload by adversaries. The malware contained an exploit for CVE-2023-38831. Vulnerability exploitation remains one of the common adversary methods employed by FlyingYeti in their phishing campaigns as a means of spreading malicious strains. 

To reduce the risks of FlyingYeti attacks, defenders recommend implementing a zero-trust approach to the organization’s cybersecurity strategy, applying browser isolation to separate messaging apps, ensuring the system has the latest WinRAR and Microsoft security updates installed, and following best security practices to safeguard the infrastructure against phishing. 

Rely on SOC Prime’s platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI to proactively thwart emerging threats, search for the latest TTPs used in cyber attacks, and equip your team with state-of-the-art technologies for Detection Engineering, Threat Hunting, and Detection Stack Validation available as a single product suite. You are also welcome to request a demo to see the SOC Prime Platform in action.