Ukraine’s Computer Emergency Response Team (CERT-UA) has raised alarms regarding a wave of phishing attacks utilizing a potent information-stealing malware named Jester Stealer. This malware is deployed through a mass email campaign designed to compromise systems of unsuspecting users.
The phishing emails, which carry the subject line “chemical attack,” contain links to Microsoft Excel files embedded with macros. Users who open these documents are prompted to enable macros, thereby unwittingly executing the malware that downloads an .EXE file from compromised web resources.
This attack method relies on users enabling macros after opening the infected document. Once activated, the malware engages in downloading and executing the malicious payload. CERT-UA has delineated this process, highlighting the crucial role that user actions play in facilitating the attack.
Documented in an earlier report by Cyble in February 2022, Jester Stealer is equipped with capabilities to extract sensitive information, including login credentials, cookies, and credit card details. Furthermore, it can harvest data from password managers, messaging platforms, email clients, cryptocurrency wallets, and gaming applications. This malware is available for purchase on the dark web, with subscriptions priced at $99 per month or $249 for lifetime access.
CERT-UA elucidates the data exfiltration method employed by the attackers, who utilize Telegram for data transmission. Stolen information is sent via static proxy addresses, including those within the TOR network. Additionally, the malware incorporates anti-analysis measures, effectively evading detection. Notably, Jester Stealer does not maintain persistence on infected systems, as it is deleted post-operation completion.
This malware campaign aligns with other phishing attempts attributed to a Russian state-sponsored actor, known as APT28 (also referred to as Fancy Bear or Strontium). Emails branded as “Кібератака” (translating to cyberattack in Ukrainian) impersonate security notifications from CERT-UA and include a RAR archive file, “UkrScanner.rar.” When this archive is opened, it launches a different malware called CredoMap_v2.
Distinct from earlier versions of stealer malware, this iteration utilizes HTTP protocols for data exfiltration. According to CERT-UA, compromised authentication data is transmitted to a web resource hosted on the Pipedream platform through HTTP POST requests.
These findings resonate with previous reports from Microsoft’s Digital Security Unit and Google’s Threat Analysis Group, which detailed Russian state-sponsored actors executing credential and data theft operations within Ukraine. The continuous threat from such cyber incursions necessitates vigilant cybersecurity practices among businesses and organizations to mitigate risks associated with evolving malware tactics.
