As the war between Russia and Ukraine continues, threat actors are resorting to a variety of malware threats. Ukrainian entities are being targeted by disrupting cyberattacks. One such malspam campaign was found propagating the Jester infostealer, warned CERT-UA.

Diving into details

Jester is being pushed via phishing emails, carrying the subject ‘chemical attack’. The emails, furthermore, contain a link to a weaponized Microsoft Excel file. The warnings of impending chemical attacks are scaring the recipients into opening the file, leading to infection with Jester infostealer. 

Modus operandi

XLS files in the malicious emails are infected with malicious macros.
  • Once the file is opened and content is enabled in MS Office, an EXE payload is fetched from a remote location and execution ensues.
  • The advisory states that the executable files are downloaded from infected websites and not from infrastructure controlled by the attackers. 
  • The files deploy Jester on the victims’ systems. 

About Jester

The infostealer malware first appeared in July 2021 and gained popularity this year in February. 
  • It boasts of expansive functionalities and affordable prices. This powerful trojan is capable of stealing data from browsers, including account passwords, crypto wallet details, messages on email clients, and discussions on IM apps. 
  • The stolen information, which is to be used by cybercriminals in future attacks, is uploaded to a remote server
  • In addition to the above, Jester uses AES-CBC-256 encryption for communicating with its operators via Tor network servers. 
  • The malware cannot be analyzed in virtual machines as the malware developers have implemented anti-analysis capabilities in Jester. 

Latest infostealer campaigns

Infostealers are all the rage right now and threat actors are making the most out of this class of malware. 
  • Attackers were found luring artists on DeviantArt and Pixiv through fake job-related offers. The aim was to infect their systems with an infostealer, named EnigmaProtector.
  • Last month, unsuspecting users were lured with a fake Windows 11 upgrade. It was a ploy to deliver the Inno Stealer infostealer that can steal browser data and crypto wallet details.  

The bottom line

While the Jester malspam campaign has not yet been attributed to any threat actor yet, the attacks coincide with another phishing attack conducted by APT28. Russian state-sponsored hackers are launching incessant attacks against Ukraine to conduct data and credential theft. Jester is most probably being orchestrated by low-skilled hackers due to its selling price of $99 per month or $249 for lifetime access. Therefore, follow cyber hygiene protocols and stay safe.
Cyware Publisher