May 30, 2024 at 01:27PM
Cloudflare disrupted a phishing campaign by Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign used debt-themed lures to distribute the PowerShell malware COOKBOX. Cloudforce One identified the campaign in mid-April 2024, involving Cloudflare Workers and GitHub, and exploiting a WinRAR vulnerability. Another financially motivated group, UAC-0006, was also identified by CERT-UA for phishing attacks.
From the meeting notes:
– Cloudflare disrupted a month-long phishing campaign by a Russia-aligned threat actor called FlyingYeti targeting Ukraine.
– The campaign used debt-themed lures to entice targets to open malicious files, resulting in infection with the PowerShell malware known as COOKBOX.
– The threat actor primarily focused on targeting Ukrainian military entities by employing various tactics including the exploitation of WinRAR vulnerability tracked as CVE-2023-38831 and the use of Cloudflare Workers and GitHub.
– Phishing attacks from other threat groups such as UAC-0006 and UAC-0188 were also mentioned, along with the evolution and refinement of tactics by Russian advanced persistent threat (APT) groups.
– The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader.
Let me know if you need any additional information.