The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing assaults that deploy an information-stealing malware referred to as Jester Stealer on compromised programs.
The mass e mail marketing campaign carries the topic line “chemical attack” and comprises a hyperlink to a macro-enabled Microsoft Excel file, opening which ends up in computer systems getting contaminated with Jester Stealer.
The assault, which requires potential victims to allow macros after opening the doc, works by downloading and executing an .EXE file that’s retrieved from compromised internet sources, CERT-UA detailed.
Jester Stealer, which was first documented by Cyble in February 2022, comes with options to steal and transmit login credentials, cookies, and bank card data together with data from passwords managers, chat messengers, e mail purchasers, crypto wallets, and gaming apps to the attackers.
“The hackers get the stolen data via Telegram using statically configured proxy addresses (e.g., within TOR),” the company stated. “They also use anti-analysis techniques (anti-VM/debug/sandbox). The malware has no persistence mechanism — it is deleted as soon as its operation is completed.”
The Jester Stealer marketing campaign coincides with one other phishing assault that CERT-UA has attributed to the Russian nation-state actor tracked as APT28 (aka Fancy Bear aka Strontium).
The emails, titled “Кібератака” (which means cyberattack in Ukrainian), masquerade as a safety notification from CERT-UA and include a RAR archive file “UkrScanner.rar” attachment that, when opened, deploys a malware referred to as CredoMap_v2.
“Unlike prior versions of this stealer malware, this one uses the HTTP protocol for data exfiltration,” CERT-UA famous. “Stolen authentication data will be sent to a web resource, deployed on the Pipedream platform, through the HTTP POST requests.”
The disclosures observe comparable findings from Microsoft’s Digital Security Unit (DSU) and Google’s Threat Analysis Group (TAG) about Russian state-sponsored hacking crews finishing up credential and data theft operations in Ukraine.