[ad_1]
Ukraine’s Computer Emergency Response Team (CERT-UA) warns of mass distribution of Jester Stealer malware via phishing emails with warnings of impending chemical attacks to scare recipients into opening attachments.
As the war between Russia and Ukraine continues, the threat of an escalation in the use of more lethal weapons remains a cause for concern.
Ukrainians live under this constant fear, which is why these phishing emails are intended as chemical attack warnings to ensure recipients don’t ignore their messages.
The full text of the auto-translated phishing email can be read below:
“Today information was received that chemical weapons will be used at 01:00 at night, the authorities are trying to hide it so as not to scare the population. Urgently learn about the places where chemical weapons will be used and the places of special shelters. where we will be safe.
Please help us spread the information attached to the document in the letter as much as possible. map of the chemical damage zone.
We have to save as many lives as possible!”
These phishing emails contain XLS documents laced with malicious macros, so if the file is opened and the content is enabled in Microsoft Office, an EXE payload will be obtained from a remote source and executed on the computer.
Per the CERT-UA advisory, the executable files are downloaded from compromised websites and not directly from an actor-controlled infrastructure.
The payload dropped on the victim’s system is Jester Stealer, an information-stealing malware strain that is set to gain popularity in 2022 due to its extensive capabilities and affordable prices.
Jester Stealer is a powerful information-stealing Trojan that steals data stored in browsers, such as account passwords, messages in email clients, discussions in instant messaging applications, and cryptocurrency wallet details. This stolen data is then uploaded to a remote server, which is then collected by threat actors for use in future attacks or sold on dark web markets.
A unique feature of Jester Stealer is the use of AES-CBC-256 encryption to communicate with its operators through Tor network servers and transmit the stolen data to private Telegram channels.
As CERT-UA underlines, malware operators have implemented their anti-scanning features that prevent malware from being scanned on virtual machines.
What’s missing is some kind of persistence mechanism, so if the program is closed and deleted, it won’t start again.
At this time, the Ukraine IT Response Team has not given any attribution for the malicious email campaign, thus the threat actors behind this campaign are unknown.
Jester Stealer is licensed to anyone for $99 per month or $249 for lifetime access, so this campaign is likely orchestrated by low-skilled opportunists.
[ad_2]
