The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyber attacks targeting Ukrainian institutions through information-stealing malware. These coordinated assaults specifically aim at military units, law enforcement agencies, and local government bodies, particularly those positioned near Ukraine’s eastern border.
The attack methodology involves the distribution of phishing emails containing macro-enabled Microsoft Excel files (XLSM). Upon opening these documents, the embedded malicious code activates and deploys two types of malware: a PowerShell script sourced from the GitHub repository PSSW100AVB, which establishes a reverse shell connection, and a new, undocumented data stealer referred to as GIFTEDCROOK.
According to CERT-UA, the filenames and email subject lines of these phishing attempts reference sensitive topics such as demining efforts, administrative fines, UAV production, and compensation for damaged property. This approach aims to exploit the recipients’ trust and prompt them to enable macros, leading to the installation of the malware without their awareness.
GIFTEDCROOK, developed using C/C++, is designed to steal sensitive data from popular web browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox. It targets critical information such as cookies, browsing histories, and authentication credentials. The emails distributing these malicious documents often originate from compromised accounts, utilizing the web interfaces of email clients to enhance their credibility and deceive potential victims.
While CERT-UA has identified the involved actors as belonging to the threat cluster UAC-0226, they have not attributed this specific activity to any particular nation-state. The ongoing campaigns have coincided with the actions of a suspected Russian espionage group known as UNC5837, which was implicated in various phishing operations aimed at European government and military sectors in late 2024.
Notably, this campaign employed signed Remote Desktop Protocol (.RDP) file attachments to connect to victims’ machines. This method diverges from conventional RDP attacks by leveraging resource redirection and RemoteApps to display attacker-controlled applications to victims, thus facilitating data exfiltration and other malicious activities.
The incidents described fall under several tactics outlined in the MITRE ATT&CK framework, including initial access through phishing, persistence via malware installation, and exfiltration of sensitive information. The use of GIFTEDCROOK aligns with techniques focused on data theft, specifically targeting user credentials and authentication tokens—an increasingly critical vulnerability as organizations continue to navigate a complex digital landscape.
In addition to these developments, various phishing campaigns have recently employed fake CAPTCHAs and Cloudflare Turnstile to distribute the Legion Loader malware. This tactic serves as a conduit for delivering a malicious Chromium-based browser extension designed to capture a range of sensitive user information.
The initial infection vector involves drive-by downloads that lure victims to malicious websites through deceptive document searches. Once on the site and exposed to the malware, victims unknowingly allow for further exploitation of their systems, ultimately leading to comprehensive data theft—all executed without their knowledge.
As cyber threats continue to evolve, understanding the tactics employed in these attacks is essential for business owners looking to safeguard valuable data. The implications of such breaches could be significant, particularly given the geopolitical context in which these attacks are occurring. Equipped with this knowledge, organizations can take proactive measures to fortify their cybersecurity postures.
