The CERT-UA has warned of phishing attacks that deploy an info stealer malware called Jester Stealer on compromised systems.
The attack chain starts with a email with subject line “chemical attack” and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.
It comes with features to steal and transmit login credentials, cookies, and credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers.
The stolen data will get transferred via Telegram using statically configured proxy addresses. The malware uses anti malware techniques for evasion. The malware is not so persistence, it will be deleted as soon as its operation is completed.
The Jester Stealer campaign coincides with another phishing attack that CERT-UA has attributed to the Russian nation-state actor tracked as APT28.
This version of malware uses the HTTP protocol for data exfilteration. Stolen authentication data will be sent to a web resource, deployed on the Pipedream platform, through the HTTP POST requests.
The disclosures follow similar findings from Microsoft’s Digital Security Unit (DSU) and Google’s TAG about Russian state-sponsored hacking crews carrying out credential and data theft operations in Ukraine.