UAC-0226 GIFTEDCROOK: WinRAR ADS Attack Steals Browser Data

The Ukrainian cyber threat group UAC-0226 has deployed a sophisticated attack chain dubbed GIFTEDCROOK that exploits WinRAR’s Alternate Data Streams (ADS) handling to deliver a multi-stage malware infection. The campaign leverages reflective DLL loading techniques to deploy an information stealer targeting browser credentials, session tokens, and cryptocurrency wallet data. The attack demonstrates advanced evasion capabilities through legitimate Windows features and fileless execution methods, making detection significantly more challenging for traditional security solutions.

Introduction

Security researchers have uncovered a novel attack methodology employed by UAC-0226, utilizing WinRAR’s processing of Windows Alternate Data Streams as an initial infection vector. This campaign represents a concerning evolution in attack sophistication, combining legitimate operating system features with reflective loading techniques to establish persistent access while evading endpoint detection. The GIFTEDCROOK toolchain specifically targets web browser data, including stored credentials, authentication cookies, and cryptocurrency wallet extensions—high-value assets for both espionage and financial gain operations.

The technique exploits the way WinRAR handles NTFS Alternate Data Streams during archive extraction, allowing attackers to hide malicious payloads within seemingly benign file structures. When combined with reflective DLL injection, the attack maintains an almost entirely memory-resident footprint, bypassing many file-based detection mechanisms.

Background & Context

UAC-0226 has been tracked as a persistent threat actor with suspected connections to operations targeting Ukrainian entities. The group has demonstrated consistent technical evolution in their tooling and methodologies, adapting to defensive measures with increasing sophistication.

Alternate Data Streams (ADS) are a feature of the NTFS file system that allows multiple data streams to be associated with a single file. While legitimate uses include storing metadata, ADS has long been abused by malware authors to hide malicious code. When a file is extracted from an archive, the ADS can be written to disk without triggering alerts from security software that only scans the primary data stream.

WinRAR, one of the most widely deployed archive utilities globally, processes ADS during extraction operations. This behavior, while technically correct according to NTFS specifications, creates an opportunity for threat actors to embed malicious payloads that survive the extraction process while remaining largely invisible to cursory inspection.

Reflective DLL loading is an advanced technique that loads a Dynamic Link Library directly into a process’s memory without using the Windows loader. This bypasses standard DLL loading mechanisms that security products typically monitor, making detection substantially more difficult.

Technical Breakdown

The GIFTEDCROOK attack chain executes through multiple distinct stages, each designed to evade specific detection layers:

Stage 1: Initial Delivery

The attack begins with a specially crafted RAR archive delivered through phishing or compromised websites. The archive contains files with embedded Alternate Data Streams carrying malicious payloads. When extracted with WinRAR, the ADS content is written to the NTFS file system alongside the primary file.

Stage 2: Execution Trigger

A decoy document or executable within the archive serves as the trigger mechanism. When the victim opens this file, it contains code that accesses the ADS-hidden payload:

type document.pdf:hidden.dll > %TEMP%\system.tmp
rundll32.exe %TEMP%\system.tmp,EntryPoint

The colon notation file:stream accesses the alternate data stream, extracting the hidden DLL to a temporary location.

Stage 3: Reflective Loading

Rather than using traditional DLL loading, the initial loader implements reflective injection to map the main GIFTEDCROCK payload directly into memory:

// Pseudocode representation
LPVOID memoryAddress = VirtualAlloc(NULL, dllSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(memoryAddress, dllBuffer, dllSize);
ResolveImports(memoryAddress);
ExecuteDllMain(memoryAddress);

This technique avoids creating additional files on disk and bypasses security hooks monitoring standard LoadLibrary API calls.

Stage 4: Data Exfiltration

The GIFTEDCROOK payload targets multiple browsers including Chrome, Edge, Firefox, and Brave. It extracts:

  • Login credentials from browser password managers
  • Session cookies for authenticated sessions
  • Autofill data including payment information
  • Cryptocurrency wallet extension data

The stealer creates an in-memory SQLite connection to browser databases:

SELECT origin_url, username_value, password_value 
FROM logins 
WHERE blacklisted_by_user = 0

Extracted data is encrypted using a custom XOR-based algorithm before exfiltration to attacker-controlled infrastructure.

Impact & Risk Assessment

The GIFTEDCROOK campaign presents significant risks across multiple dimensions:

Credential Compromise: Stolen browser credentials provide immediate access to corporate resources, cloud platforms, and personal accounts. The average user stores 60-100 passwords in browser managers, representing extensive lateral movement opportunities.

Session Hijacking: Extracted authentication cookies allow attackers to impersonate legitimate users without requiring passwords, bypassing multi-factor authentication in many implementations.

Financial Impact: Cryptocurrency wallet targeting enables direct financial theft. Browser-based wallets like MetaMask contain keys that, once compromised, allow irreversible fund transfers.

Detection Difficulty: The combination of ADS abuse and reflective loading creates minimal forensic artifacts. Standard endpoint detection relies heavily on file creation events and DLL load monitoring—both largely bypassed by this methodology.

Supply Chain Implications: If deployed against organizations with access to customer data or downstream partners, the breach scope could extend well beyond the initial victim.

Organizations in financial services, cryptocurrency, government sectors, and any entity handling sensitive authentication credentials face elevated risk from this attack pattern.

Vendor Response

WinRAR’s developer RARLAB has been notified of the ADS-based attack methodology. The behavior of preserving Alternate Data Streams during extraction is technically correct according to NTFS specifications, making this more of a feature exploitation than a vulnerability in the traditional sense.

Microsoft has documented the inherent security considerations of ADS in NTFS and provides guidance for administrators to monitor and restrict ADS usage in high-security environments. However, disabling ADS entirely can break legitimate functionality in various applications.

Security vendors have begun updating their detection signatures to identify GIFTEDCROOK-specific indicators, though the reflective loading component requires behavioral detection rather than signature-based approaches.

Browser vendors continue to enhance their credential storage security, with Chrome and Edge implementing additional encryption layers and hardware-backed key storage on supported systems. These improvements increase the difficulty of credential extraction but don’t eliminate the risk entirely.

Mitigations & Workarounds

Organizations should implement multiple defensive layers to protect against GIFTEDCROOK-style attacks:

Archive Handling Policies

Implement application control to restrict archive extraction to managed solutions with enhanced security monitoring:

# PowerShell AppLocker policy to restrict WinRAR execution
New-AppLockerPolicy -RuleType Publisher -User "Everyone" -RuleNamePrefix "Block_WinRAR" -Deny

ADS Monitoring and Removal

Deploy scripts to identify and optionally remove alternate data streams from downloaded files:

Get-ChildItem -Recurse | ForEach-Object {
    Get-Item $_.FullName -Stream * | Where-Object Stream -ne ':$DATA' | 
    Select-Object FileName, Stream
}

Browser Security Hardening

Configure browsers to require OS-level authentication before accessing stored credentials:

# Chrome/Edge policy
{
  "PasswordManagerEnabled": true,
  "PasswordManagerAuthenticationMode": 2
}

Memory Execution Prevention

Enable Attack Surface Reduction (ASR) rules to block suspicious memory allocation patterns:

Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled

Network Segmentation

Restrict outbound connections from user workstations to limit exfiltration opportunities.

Detection & Monitoring

Security teams should implement the following detection strategies:

Sysmon Configuration

Monitor for ADS access patterns:


  
    :
  

EDR Behavioral Rules

Configure behavioral detection for:

  • Processes accessing multiple browser profile directories sequentially
  • Memory allocations with RWX permissions followed by remote thread creation
  • SQLite database access from non-browser processes

Network Indicators

Monitor for:

  • Unusual outbound connections to recently registered domains
  • Large POST requests containing base64 or encrypted data
  • Connection patterns consistent with exfiltration (burst transfers after hours)

PowerShell Hunting Query

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=15} | 
Where-Object {$_.Message -match "TargetFilename.:.:"} |
Select-Object TimeCreated, Message

Best Practices

User Education

Train users to recognize phishing attempts and suspicious archive files. Emphasize the risks of extracting archives from untrusted sources.

Least Privilege

Operate with standard user accounts rather than administrative privileges. This limits the persistence mechanisms available to malware.

Credential Management

Migrate from browser-based password managers to enterprise solutions with enhanced security controls and centralized monitoring.

Multi-Factor Authentication

Deploy phishing-resistant MFA methods like FIDO2/WebAuthn that bind authentication to specific domains, preventing stolen session reuse.

Regular Security Assessments

Conduct purple team exercises simulating ADS-based attacks and reflective loading to validate detection capabilities.

Patch Management

Maintain current browser versions and security updates to ensure the latest credential protection mechanisms are active.

Data Loss Prevention

Implement DLP solutions that can detect and block transmission of structured data resembling credential databases or authentication tokens.

Key Takeaways

  • UAC-0226’s GIFTEDCROOK campaign demonstrates sophisticated abuse of legitimate Windows features (ADS) combined with advanced evasion techniques (reflective loading)
  • The attack specifically targets high-value browser-stored data including credentials, session cookies, and cryptocurrency wallets
  • Detection requires behavioral analysis rather than traditional signature-based approaches due to the minimal file-system footprint
  • Organizations should implement defense-in-depth strategies including archive handling controls, ADS monitoring, and browser hardening
  • The campaign highlights the ongoing evolution of threat actor TTPs and the need for adaptive security programs
  • Memory-based execution techniques continue to challenge traditional endpoint protection solutions
  • User education and technical controls must work in concert to effectively mitigate these advanced threats

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/


Leave a Reply

Your email address will not be published. Required fields are marked *

📢 Join Telegram