The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems.
The mass email campaign carries the subject line “chemical attack” and contains a link to a macro-laced Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.
The attack, which requires potential victims to enable macros after opening the document, works by downloading and executing an .EXE file that is retrieved from compromised web resources, CERT-UA detailed.
Jester Stealer, as documented by Cyble in February 2022, comes with features to steal and transmit login credentials, cookies, and credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers. It’s purchasable for $99 per month or $249 for lifetime access.
“The hackers get the stolen data via Telegram using statically configured proxy addresses (e.g., within TOR),” the agency said. “They also use anti-analysis techniques (anti-VM/debug/sandbox). The malware has no persistence mechanism — it is deleted as soon as its operation is completed.”
The Jester Stealer campaign coincides with another phishing attack that CERT-UA has attributed to the Russian nation-state actor tracked as APT28 (aka Fancy Bear aka Strontium).
The emails, titled “Кібератака” (meaning cyberattack in Ukrainian), masquerade as a security notification from CERT-UA and come with a RAR archive file “UkrScanner.rar” attachment that, when opened, deploys a malware called CredoMap_v2.
“Unlike prior versions of this stealer malware, this one uses the HTTP protocol for data exfiltration,” CERT-UA noted. “Stolen authentication data will be sent to a web resource, deployed on the Pipedream platform, through the HTTP POST requests.”
The disclosures follow similar findings from Microsoft’s Digital Security Unit (DSU) and Google’s Threat Analysis Group (TAG) about Russian state-sponsored hacking crews carrying out credential and data theft operations in Ukraine.