Ukrainian CERT warns citizens about a new wave of attacks spreading Jester malware

Ukrainian CERT warns citizens about a new wave of attacks spreading Jester malware

11. May 2022 0 By Horst Buchwald

Ukrainian CERT warns citizens about a new wave of attacks spreading Jester malware

Kiev, 11.5.2022

Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of phishing attacks using a malware called Jester Stealer on compromised systems to steal information.

The mass email campaign carries the subject line “Chemical Attack” and includes a link to a macro-laced Microsoft Excel file that, when opened, causes computers to become infected with Jester Stealer.

The attack, which requires potential victims to activate macros after opening the document, works by downloading and running an EXE file retrieved from compromised Web resources, CERT-UA said.

Jester Stealer, documented by Cyble in February 2022, has capabilities to steal and transmit credentials, cookies and credit card information, as well as data from password managers, chat messengers, email clients, crypto wallets and gaming apps to attackers. It can be purchased for $99 per month or $249 for lifetime access.

“The hackers obtain the stolen data through Telegram using statically configured proxy addresses (e.g., within TOR),” the agency said. “They also use anti-analysis techniques (anti-VM/debug/sandbox). The malware has no persistence mechanism – it is deleted as soon as its operation is complete.

The Jester Stealer campaign coincides with another phishing attack that CERT-UA attributes to Russian nation-state APT28 (also known as Fancy Bear or Strontium).

The emails, titled “Кібератака” (which means “cyber attack” in Ukrainian), pose as a security message from CERT-UA and include a RAR archive file “UkrScanner.rar” in the attachment, which installs a malware called CredoMap_v2 when opened.

“Unlike previous versions of this stealer malware, this one uses the HTTP protocol for data exfiltration,” CERT-UA said. “Stolen authentication data is sent via HTTP POST requests to a web resource deployed on the Pipedream platform.”

The revelations follow similar findings by Microsoft’s Digital Security Unit (DSU) and Google’s Threat Analysis Group (TAG) about Russian state-sponsored hackers conducting credential and data theft operations in Ukraine.

 

Hits: 17