Cloudflare disrupts Russia-Aligned phishing campaign targeting Ukraine
Cloudflare announced it disrupted a month-long phishing campaign by a Russia-aligned threat actor, FlyingYeti, which targeted Ukraine.
The campaign used debt-themed lures to entice targets into opening malicious files, resulting in infection with COOKBOX malware. This malware allows follow-on activities such as additional payload installations and system control. FlyingYeti, tracked by CERT-UA as UAC-0149, has previously used malicious attachments via the Signal app to deliver COOKBOX.
The latest campaign, detected in mid-April 2024, exploited a WinRAR vulnerability (CVE-2023-38831) and used Cloudflare Workers and GitHub. Emails lured recipients to a now-removed GitHub page impersonating the Kyiv Komunalka website, prompting them to download a malicious Microsoft Word file, which actually delivered a RAR archive containing the COOKBOX malware.
Cloudflare stated that the malware is designed to persist on the infected device, communicating with a DDNS domain for command-and-control purposes. The campaign primarily targeted Ukrainian military entities, leveraging cloud-based platforms for staging malicious content.
CERT-UA also reported a spike in phishing attacks by UAC-0006, which dropped SmokeLoader malware to deploy additional threats like TALESHOT. Phishing campaigns have extended to European and U.S. financial organizations, using trojanized versions of legitimate software like SuperOps to gain unauthorized remote access.
According to Flashpoint, Russian APT groups continue to evolve their tactics, using spear-phishing campaigns to exfiltrate data and credentials with malware such as Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader. These developments highlight the ongoing and expanding cyber threats from Russian-aligned actors.
