Might 09, 2022Ravie Lakshmanan

The Laptop Emergency Response Group of Ukraine (CERT-UA) has warned of phishing assaults that deploy an information-stealing malware referred to as Jester Stealer on compromised programs.

The mass e-mail marketing campaign carries the topic line “chemical assault” and comprises a hyperlink to a macro-laced Microsoft Excel file, opening which ends up in computer systems getting contaminated with Jester Stealer.

The assault, which requires potential victims to allow macros after opening the doc, works by downloading and executing an .EXE file that’s retrieved from compromised net assets, CERT-UA detailed.

Jester Stealer, as documented by Cyble in February 2022, comes with options to steal and transmit login credentials, cookies, and bank card data together with knowledge from passwords managers, chat messengers, e-mail purchasers, crypto wallets, and gaming apps to the attackers. It is purchasable for $99 per 30 days or $249 for lifetime entry.

“The hackers get the stolen knowledge through Telegram utilizing statically configured proxy addresses (e.g., inside TOR),” the company mentioned. “In addition they use anti-analysis strategies (anti-VM/debug/sandbox). The malware has no persistence mechanism — it’s deleted as quickly as its operation is accomplished.”

The Jester Stealer marketing campaign coincides with one other phishing assault that CERT-UA has attributed to the Russian nation-state actor tracked as APT28 (aka Fancy Bear aka Strontium).

The emails, titled “Кібератака” (which means cyberattack in Ukrainian), masquerade as a safety notification from CERT-UA and include a RAR archive file “UkrScanner.rar” attachment that, when opened, deploys a malware referred to as CredoMap_v2.

“Not like prior variations of this stealer malware, this one makes use of the HTTP protocol for knowledge exfiltration,” CERT-UA famous. “Stolen authentication knowledge can be despatched to an internet useful resource, deployed on the Pipedream platform, by way of the HTTP POST requests.”

The disclosures comply with comparable findings from Microsoft’s Digital Safety Unit (DSU) and Google’s Risk Evaluation Group (TAG) about Russian state-sponsored hacking crews finishing up credential and knowledge theft operations in Ukraine.