Uncovering UAC-0226: How GiftedCrook Stealer Exploits Excel Files to Breach Security in Ukraine
containing malicious Excel files, and are reported to be the work of a nefarious campaign dubbed as UAC-0226.
Cyber Espionage at Play
The sophisticated threat group, UAC-0226, also known as Turla, Venomous Bear, or Waterbug, has been on the radar of international cybersecurity agencies for quite some time.
The group's hallmark is state-sponsored cyber-espionage against targets of strategic importance.
Over the past week, the group reportedly launched a new campaign where they deployed a new variant of info-stealer malware - GIFTEDCROOK.
Distribution: Crafty Phishing Tactics
In this new attack, the adversaries leverage spear phishing emails impersonating known military institutions.
Within the emails are malicious Excel files with a macro script hidden inside.
The email encourages the receiver to open the Excel file by creating a sense of urgency.
Mechanics of GIFTEDCROOK Malware
Once the victim opens the file and enables macros, the hidden Visual Basic for Applications (VBA) script is executed.
This initiates a multi-stage infection chain where GIFTEDCROOK malware is downloaded and installed on the target system.
Its main purpose is information theft, allowing the threat actor to exfiltrate sensitive data, such as login credentials or confidential documents.
Recommendations for Safety
Adopting practical precautions is key to staying protected from such sophisticated attacks.
These include:
- Practising caution with emails from unknown sources and meticulously verifying the authenticity of the sender’s domain.
- Refraining from enabling macros in unsolicited files; this is a common method for executing malicious code.
- Regularly updating antivirus software and keeping up with security patches to prevent well-known vulnerabilities being exploited.
- Training staff on cyber hygiene and the potential risks of phishing attacks.
Collaboration Is Key
Cybersecurity is not an individual struggle but a collective responsibility.
Sharing threat intelligence between institutions and countries is vital in creating effective countermeasures against such persistent and sophisticated cyber threats.
