As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear, may now take on a new form. The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about a huge distribution campaign based on the concept of a “chemical attack.” Receiving an email like this in Ukraine’s invasion-affected regions is sure to generate widespread panic. Jester Stealer, a malicious file capable of large-scale data theft, is back on the hunt.


What the Warning is About and How it Works

Recently, via its official website, CERT-UA (Center of Excellence for Applied Research and Training) issued a warning about the upcoming wave of cyberattacks on Ukrainians that shall distribute Jester Stealer.

It says, “The hackers obtain the stolen data over Telegram using statically established proxy addresses (e.g., within TOR),” and “They also employ anti-analysis methods (anti-VM/debug/sandbox).” The virus does not have a persistence mechanism and is removed as soon as its activity is accomplished.


Details as Issued by CERT-UA

The Ukrainian government’s unit for reacting to computer emergencies, CERT-UA, discovered the widespread circulation of emails with the subject “chemical attack” and a link to an XLS document containing a macro.

When you open the document and activate the macro, it will download and launch the EXE file, infecting your computer with the dangerous malware JesterStealer.


Another Phishing Campaign

CERT-UA has linked the Jester Stealer campaign with another phishing campaign their system identified as the work of Russian state actors linked to APT28 (aka Fancy Bear aka Strontium).

These emails, titled “Кіберaтака” (cyber-attack in Ukrainian), are disguised as a security alert from CERT-UA. They contain a RAR file titled “UkrScanner.rar” attached to them, and when opened, the files deploy a malware called CredoMap_v2.


Sources Through Which Jester Stealer Can Attack Your System

  • The files are obtained from compromised web pages, according to the CERT-UA.
  • JesterStealer extracts authentication and other information from Internet browsers, MAIL/FTP/VPN clients, crypto wallets, password managers, messengers, game programs, and other applications.

The stolen information is then sent back to the attackers via Telegram. When the malicious action is finished, the virus deletes itself.


In What Manner Does it Infiltrate Systems?

The Jester Stealer is a Net-based malware that generally infects target computers via phishing emails masquerading as a txt, jar, ps1, bat, png, doc, Xls, pdf, mp3, mp4, or ppt file attachment.

Threat actors may also use random distribution routes, such as pirated material and hacking tools marketed on YouTube.


What is Jester Stealer?

Jester Stealer is an Information Stealer who takes your sensitive information, including login passwords, cookies, credit card information, etc., and passes it to a Threat Actor (TA). TAs collect and use stolen data by uploading it to a remote server, which in turn is sold on dark web markets or used in future attacks. Jester Stealer is a new threat that surfaced on cybercrime forums in July 2021. It has been upgraded seven times since then, with each version offering new features.

In addition to the Stealer’s anti-sandbox and anti-VM capabilities also allow data exfiltration through various platforms, including browsers, VPN clients, password managers, chat messengers, email clients, and crypto-wallets. Data is exfiltrated via TOR as logs to Telegram Bot.


Its unique characteristics

Jester Stealer has the following features:

  • The AES-CBC-256 algorithm is used to encrypt the connection.
  • Tor servers may be found around the network.
  • All logs are sent to your Telegram bot.
  • Swift log collecting in memory with no data written to the disc.
  • For lifetime access, Jester Stealer can be purchased for $99 a month or $249.


What is at Stake?

Since it encrypts connections with AES-CBC-256, integrates Tor network servers, redirects logs to Telegram bots, and bundles stolen material in memory before exfiltration, its attack vector is vast:

  • Passwords, credit cards, cookies, autofill information, browsing histories, and bookmarks/favorites for more than 20 web browsers.
  • Password managers such as KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm, and others.
  • Software for gaming: Steam sessions, Twitch streams, and OBS profiles with broadcast keys.
  • Thunderbird, Outlook, and FoxMail as potential email clients.
  • Apps for instant messaging: Telegram, Discord, WhatsApp, Signal, and Pidgin
  • The most popular digital wallets include Electrum, Exodus, Guarda, Atomic, Coinomi, Jaxx, Wasabi, Zcash, etc.


Guidelines to Safeguard Your Information Systems

Avoid Unreliable Websites: Keeping info-stealing infections to a minimum can be done by not downloading executable files from untrustworthy websites or torrent swarms.

Use official news sources: Stick to official news sources for breaking news in impacted areas. A true warning on the President’s website, or comparable message from official sources on Twitter, is more likely to be trusted than random emails.

Up-to-date Anti-Virus: It is always best to avoid downloading and executing files that arrive in unsolicited emails and check downloaded files on an up-to-date anti-virus program.

Avoid persuading emails that ask to download macros: Attackers frequently use deceptive messages, e.g., asking you to cancel an order or read a legal document. They will somehow make you download a document and then attempt to convince you to let macros execute. No reputable and legitimate organization will ask you to open an Excel file to cancel an order, and also, you don’t need macros to read a Word page.

Upgrading Overall Security: Develop a security attitude among your staff. Enable multi-factor authentication, ensuring strong passwords, and remember that phishing is still the most common attack vector, even for sophisticated adversaries.


Final Words

The conflict between Ukraine and Russia is not the only reason for the cyberattack warning; phishing attempts have taken over the digital world. There is no hard and fast rule for protecting oneself against such cyber assaults; the only golden rule is to follow the fundamental cyber protection principles to avoid financial and reputational damages to your business.