UAC-0226 Tooling Evolution from WinRAR ADS to Reflective GIFTEDCROOK Loading
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The UAC-0226 threat actor has refined its delivery chain by abusing a WinRAR path traversal flaw together with NTFS Alternate Data Streams to establish quiet persistence. The campaign relies on a multi-stage PowerShell loader to deploy a headerless reflective PE payload known as GIFTEDCROOK. The malware is designed to collect browser credentials, VPN configuration data, and sensitive documents from compromised systems.
Investigation
The analysis breaks down a complex execution flow built around a weaponized WinRAR archive, a decoy PDF, and a hidden LNK file placed in the Windows Startup folder. Researchers identified a custom additive decoding routine and an advanced reflective loader that maps a DLL directly into memory. Telemetry also showed the loader reporting execution status to its command-and-control server through a custom 16-byte structure.
Mitigation
Organizations should prioritize updating WinRAR to address path traversal weaknesses. Enforcing strict PowerShell execution policies and monitoring for unusual NTFS Alternate Data Stream activity can help disrupt the early stages of compromise. Security teams should also watch for unauthorized files dropped into Startup folders and suspicious memory allocation behavior such as NtAllocateVirtualMemory.
Response
If this activity is detected, isolate the affected hosts immediately to prevent further data exfiltration. Inspect the C:\ProgramData directory for suspicious extensionless files and review the user’s Startup folder for unauthorized LNK shortcuts. Memory forensics should be performed to identify reflective DLLs, and network logs should be checked for communication with the identified command-and-control infrastructure.
"flowchart TD step_user_execution["T1204.002 u2013 User Execution: Malicious File: Victim interacts with weaponized WinRAR archive containing decoy PDF."] step_hijack_execution["T1574 u2013 Hijack Execution Flow: WinRAR path traversal and NTFS ADS used to drop malicious .lnk into Startup directory."] step_autostart["T1547.001 u2013 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Shortcut triggers minimized PowerShell process."] step_reflective_loading["T1620 u2013 Reflective Code Loading: Obfuscated PowerShell loader uses .NET reflection to execute headerless PE in memory."] rules_for_reflective_loading("<b>Rule Name</b>: The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)<br/><b>Rule ID</b>: 1f6b7314-c1ee-4208-922b-bb7c6167dc77") step_credential_access["T1555.003 u2013 Credentials from Password Stores: Credentials from Web Browsers: Stealer extracts data from Chromium and Firefox."] step_unsecured_credentials["T1552.001 u2013 Unsecured Credentials: Credentials In Files: Searching for .ovpn, .kdbx, and .jks files."] step_exfiltration["T1074 u2013 Data Staged: Data is zipped in user profile and exfiltrated to C2 (142.111.194[.]73:8640) via HTTPS."] step_user_execution –>|leads_to| step_hijack_execution step_hijack_execution –>|enables| step_autostart step_autostart –>|triggers| step_reflective_loading step_reflective_loading –>|executes| step_credential_access step_credential_access –>|then| step_unsecured_credentials step_unsecured_credentials –>|leads_to| step_exfiltration step_reflective_loading -.->|detected_by| rules_for_reflective_loading "
Attack Flow
Detections
Possible Delayed Execution Behavior (via cmdline)
View
Potential Malware Self-Removal or Stderr Concealment Operation (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Minimized Command Prompt Launching Hidden PowerShell Process [Windows Process Creation]
View
Detect PowerShell Execution for UAC-0226 Campaign [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to deploy a stealer payload. To minimize footprint and evade user interaction, they stage a payload in
C:ProgramDataWC3. They then invoke PowerShell with a set of “living-off-the-land” flags designed to bypass execution policies and hide the window from the user. The command will useiex(Invoke-Expression) to execute a command that references the staged file, simulating the reflective loading behavior of the UAC-0226 campaign. -
Regression Test Script:
# 1. Setup: Create the specific directory used in the detection rule $targetDir = "C:ProgramDataWC3" if (!(Test-Path $targetDir)) { New-Item -Path $targetDir -ItemType Directory -Force } # 2. Create a dummy payload file to satisfy the path requirement $dummyFile = "$targetDirpayload.ps1" "Write-Output 'Simulated Malicious Payload'" | Out-File -FilePath $dummyFile -Encoding ascii # 3. Execute the malicious command chain (This should trigger the rule) # We use Start-Process to ensure the command line is captured as a new process Start-Process powershell.exe -ArgumentList "-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command ""iex (Get-Content $dummyFile)""" -WindowStyle Hidden Write-Host "[+] Simulation command executed. Check your SIEM for the alert." -
Cleanup Commands:
# Remove the directory and dummy files created during simulation Remove-Item -Path "C:ProgramDataWC3" -Recurse -Force -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete."