Jester Stealer Malware Detection: Phishing Attacks Spreading Info-Stealing Malware by the UAC-0104 Hacking Group

A wave of new phishing cyber-attacks has recently swept Ukraine. Hard on the heels of an attack by the APT28 threat actors spreading the CredoMap_v2 info-stealing malicious software, another hacking group has recently distributed phishing emails deploying malware called Jester Stealer, as CERT-UA reports. This latest malicious activity has been tracked as UAC-0104 based on the adversary behavior patterns.

Jester Stealer Analysis of the Latest Attack by UAC-0104 

Info stealers, which enable attackers to exfiltrate the victims’ sensitive data, are constantly evolving along with phishing as one of the most effective attack vectors. Info-stealing malware samples commonly exfiltrate data from web browsers, MAIL/FTP/VPN clients, cryptocurrency wallets, password managers, etc. The newly detected Jester Stealer campaign leverages info-stealing malware uncovered by Cyble Research Labs in February 2022. 

In the latest cyber-attack through phishing emails infected with Jester Stealer, threat actors have exploited the “chemical attack” topic as a lure aimed to trick users into opening emails that contained a link to an XLS file with a malicious macro. After opening the file and enabling the macro, the latter launches an executable file, which further infects the system with the above-mentioned info-stealing malware strain. Exfiltrated data can then be shared with attackers using the Telegram messaging service via statistically defined proxy addresses, including the TOR network. The info stealer used by the UAC-0104 group uses a set of techniques to hinder malware analysis and lacks a persistence mechanism. Through a series of updates, the malware has gradually enhanced its capabilities, including AES-CBC-256 encryption, log storage in memory, as well support for anti-sandbox and anti-VM features. Moreover, Jester Stealer deletes itself after completing the malicious operation enabling threat actors to evade detection. 

Detect Jester Stealer Malware

To enable InfoSec practitioners to timely spot infections caused by Jester Stealer and proactively detect cyber-attacks attributed to the UAC-0104 threat actors, the SOC Prime’s platform curates a set of dedicated detection algorithms available below: 

Sigma Rules to Detect the Malicious Activity Related to the UAC-0104 Group

Cybersecurity professionals are prompted to log into the SOC Prime’s platform with their current account or sign up for instant access to the above-mentioned detection content. The platform capabilities allow directly searching for the relevant content items using a custom tag #UAC-0104 associated with the corresponding hacking collective. 

Moreover, this rule kit can be leveraged to search for cyber threats related to the malicious activity of the UAC-0104 group using SOC Prime’s Quick Hunt module, making hunting simpler than ever. 

MITRE ATT&CK® Context: New Phishing Attacks by UAC-0104

To gain insights into attackers’ behavior behind the latest UAC-0104 attacks involving Jester Stealer malware, the Sigma-based detections referenced above are mapped to the MITRE ATT&CK framework addressing the corresponding tactics and techniques: