A newly identified cyberattack campaign orchestrated by the threat actor group UAC-0226 is targeting Windows users, particularly those associated with Ukrainian military entities. This sophisticated operation employs malicious WinRAR archives, concealed file streams, and advanced memory-loading techniques to deploy GIFTEDCROOK—a stealer malware designed to extract browser credentials, cookies, and sensitive documents from compromised systems.
The attack initiates with a seemingly innocuous WinRAR archive containing a decoy PDF document. However, embedded within this archive are additional hidden files utilizing WinRAR’s Alternate Data Streams (ADS) feature. When the victim opens the PDF, a shortcut file (LNK) is executed, which surreptitiously extracts and places these hidden files into critical system directories. This process occurs without the user’s knowledge, effectively launching the malware in the background.
Security researchers at Synaptic Security have detailed the attack chain, which progresses from the initial RAR archive through the decoy PDF and LNK file to obfuscated PowerShell scripts and an encoded payload, culminating in the deployment of GIFTEDCROOK. The archive deposits two key files onto the system: a heavily obfuscated PowerShell loader in the C:\ProgramData\WC3 directory and an encoded payload in C:\ProgramData\wt1. Additionally, a startup shortcut is placed in the Windows Startup folder, ensuring the malware executes automatically upon user login, thereby establishing persistent access.
Once active, GIFTEDCROOK operates stealthily, targeting browsers such as Google Chrome, Microsoft Edge, Opera, and Firefox to harvest login credentials, cookies, and saved session data. The malware also seeks out VPN profiles, KeePass databases, and email files, compiling the collected information into a ZIP archive for exfiltration to attacker-controlled servers.
The campaign’s effectiveness is largely attributed to its use of WinRAR’s ADS feature and reflective Portable Executable (PE) loading. ADS allows the archive to carry hidden files alongside the visible decoy PDF, enabling the silent extraction of multiple malicious components onto the victim’s machine without raising suspicion. The PowerShell loader in the WC3 directory is obfuscated with extensive junk code and random function names to evade detection. It reads the encoded payload from the wt1 file, decodes it by subtracting 72 from each byte, and loads the resulting code directly into memory using low-level Windows API calls. This method avoids creating a recognizable executable file on disk, further evading traditional security measures.
GIFTEDCROOK’s evolution from a basic browser credential stealer to a comprehensive intelligence-gathering tool underscores the increasing sophistication of cyber threats. The malware’s ability to extract a wide range of sensitive information, coupled with its stealthy deployment mechanisms, poses a significant risk to targeted individuals and organizations. This development highlights the critical need for users to exercise caution when handling email attachments and to ensure that their software, particularly utilities like WinRAR, is kept up to date to mitigate potential vulnerabilities.
