Hacking operation UAC-0226 has upgraded its GIFTEDCROOK information-stealing malware to allow intelligence gathering in attack campaigns between April and June, according to The Hacker News.
Malicious emails with military-themed PDF lures have been leveraged to lure targets into clicking a Mega cloud storage link redirecting to a macro-enabled Excel workbook that downloads the updated GIFTEDCROOK malware, which collects files and documents under several extensions that had been created or altered within the past 45 days, a report from Arctic Wolf Labs revealed. All gathered files, which could include spreadsheets and VPN configurations, are then compiled in a ZIP archive, which could be split should it exceed 20 MB in size in an effort to bypass detection, before the delivery of a batch script facilitating the removal of the stealer from the system. "The progression from simple credential theft in GIFTEDCROOK version 1, to comprehensive document and data exfiltration in versions 1.2 and 1.3, reflects coordinated development efforts where malware capabilities followed geopolitical objectives to enhance data collection from compromised systems in Ukraine," said Arctic Wolf.
Malicious emails with military-themed PDF lures have been leveraged to lure targets into clicking a Mega cloud storage link redirecting to a macro-enabled Excel workbook that downloads the updated GIFTEDCROOK malware, which collects files and documents under several extensions that had been created or altered within the past 45 days, a report from Arctic Wolf Labs revealed. All gathered files, which could include spreadsheets and VPN configurations, are then compiled in a ZIP archive, which could be split should it exceed 20 MB in size in an effort to bypass detection, before the delivery of a batch script facilitating the removal of the stealer from the system. "The progression from simple credential theft in GIFTEDCROOK version 1, to comprehensive document and data exfiltration in versions 1.2 and 1.3, reflects coordinated development efforts where malware capabilities followed geopolitical objectives to enhance data collection from compromised systems in Ukraine," said Arctic Wolf.
