A new cybersecurity threat associated with the group UAC-0226 has been identified, targeting Windows users with sophisticated techniques. The campaign employs malicious WinRAR archives and advanced memory-loading methods to deploy the GIFTEDCROOK malware, which is designed to clandestinely siphon off browser credentials, cookies, and sensitive files from compromised systems.
Targeted Attack on Ukrainian Military Personnel
The attack chain has a specific focus on individuals related to the Ukrainian military, utilizing documents that mimic authentic military records to deceive targets. The infection commences with what seems to be a standard WinRAR archive; however, it contains more than just a simple document.
Utilizing the Alternate Data Streams (ADS) feature, threat actors hide numerous files within the archive, including a decoy PDF and a shortcut file (LNK). These files are discreetly deployed into critical system locations upon opening, initiating the attack without the user’s awareness.
Technical Analysis of the GIFTEDCROOK Attack Chain
Researchers at Synaptic Security have meticulously traced the complete attack sequence while monitoring UAC-0226’s activities. The initial RAR file leads to a decoy PDF, a shortcut, and obfuscated PowerShell scripts, culminating in the execution of the GIFTEDCROOK stealer.
The archive deposits two primary files: an obfuscated PowerShell loader in C:ProgramDataWC3 and an encoded payload in C:ProgramDatawt1. A shortcut in the Windows Startup folder ensures the malware’s persistence, allowing it to launch automatically with each login, thus maintaining continuous access.
Once active, GIFTEDCROOK targets browsers such as Chrome, Edge, Opera, and Firefox, extracting login details, cookies, and session data. Additionally, it seeks VPN profiles, KeePass databases, and email files, consolidating everything into a ZIP archive for transmission to the attackers’ servers.
Evading Detection with Advanced Techniques
The attack leverages WinRAR’s ADS and reflective PE loading capabilities to deliver GIFTEDCROOK while evading detection by most security tools. ADS enables the attachment of hidden files to the archive, which are extracted without raising suspicion.
The PowerShell loader is obfuscated with extraneous code, making it challenging for analysis tools to decipher. The payload is decoded and loaded directly into memory using Windows API calls, bypassing the creation of recognizable executable files on disk.
Security measures should focus on monitoring changes to the startup folder, unusual PowerShell activity, and outbound traffic to atypical ports. Preventing LNK execution from archives and enforcing stricter PowerShell policies can significantly mitigate this threat.
Security teams are advised to stay vigilant and implement robust monitoring to detect signs of this attack chain. By understanding the intricacies of the GIFTEDCROOK malware, organizations can better protect their systems against such sophisticated threats.
