Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware

Jester Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has
warned of phishing attacks that deploy an information-stealing
malware called Jester Stealer on compromised systems.

The mass email campaign carries the subject line “chemical
attack” and contains a link to a macro-enabled Microsoft Excel
file, opening which leads to computers getting infected with Jester
Stealer.

The attack, which requires potential victims to enable macros
after opening the document, works by downloading and executing an
.EXE file that is retrieved from compromised web resources, CERT-UA
detailed.

Jester Stealer, which was first documented[1]
by Cyble in February 2022, comes with features to steal and
transmit login credentials, cookies, and credit card information
along with data from passwords managers, chat messengers, email
clients, crypto wallets, and gaming apps to the attackers.

“The hackers get the stolen data via Telegram using statically
configured proxy addresses (e.g., within TOR),” the agency said[2]. “They also use
anti-analysis techniques (anti-VM/debug/sandbox). The malware has
no persistence mechanism — it is deleted as soon as its operation
is completed.”

The Jester Stealer campaign coincides with another phishing
attack that CERT-UA has attributed to the Russian nation-state
actor tracked as APT28 (aka Fancy Bear aka Strontium).

The emails, titled “Кібератака” (meaning cyberattack in
Ukrainian), masquerade as a security notification from CERT-UA and
come with a RAR archive file “UkrScanner.rar” attachment that, when
opened, deploys a malware called CredoMap_v2.

“Unlike prior versions of this stealer malware, this one uses
the HTTP protocol for data exfiltration,” CERT-UA noted[3]. “Stolen authentication
data will be sent to a web resource, deployed on the Pipedream
platform, through the HTTP POST requests.”

The disclosures follow similar[4]
findings[5]
from Microsoft’s Digital Security Unit (DSU) and Google’s Threat
Analysis Group (TAG) about Russian state-sponsored hacking crews
carrying out credential and data theft operations in Ukraine.

References

  1. ^
    first
    documented     (thehackernews.com)
  2. ^
    said
    (cert.gov.ua)
  3. ^
    noted
    (cert.gov.ua)
  4. ^
    similar
    (thehackernews.com)
  5. ^
    findings
    (thehackernews.com)

Read more