Ukrainian military entities were targeted in a now-disrupted month-long phishing attack campaign by Russia-linked threat operation FlyingYeti, also known as UAC-0149, that deployed the COOKBOX malware with cmdlet loading and execution capabilities, reports The Hacker News.
Attacks involved the distribution of malicious emails with payment- and debt restructuring-related lures meant to encourage downloads of a Microsoft Word file from a spoofed Kyiv Komunalka website, which verifies an HTTP request to a Cloudflare Worker before fetching a RAR archive file that then exploits the WinRAR flaw, tracked as CVE-2023-38831, to facilitate COOKBOX malware execution, according to a Cloudflare report.
Such findings come amid separate warnings by Ukraine's Computer Emergency Response Team regarding escalating phishing attacks by the UAC-0006 threat group involving SmokeLoader malware deployment, as well as the UAC-0188 threat operation's use of a trojanized Minesweeper game to distribute SuperOps Remote Monitoring and Management software.
