Cyber Incident Victim: Government of Ukraine
Date:
May 2022
Location:
Ukraine
Summary
Ukraine's CERT warned of a phishing campaign distributing Jester Stealer malware via emails falsely warning of imminent chemical attacks to exploit wartime fears. The messages urged recipients to open malicious Excel attachments containing macros that fetched and executed a remote payload from compromised websites. The malware harvested sensitive data—including passwords, email messages, instant messaging discussions, and cryptocurrency wallet details—encrypting stolen information with AES-CBC-256 before exfiltrating it via Tor to Telegram channels. Jester Stealer incorporated anti-analysis features to evade detection in virtualized environments but lacked persistence mechanisms, requiring manual execution. While attribution remains unclear, the malware's low-cost licensing model suggested involvement by opportunistic threat actors rather than sophisticated groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 9, 2022, Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning regarding a widespread phishing campaign distributing Jester Stealer malware. Threat actors leveraged heightened fears of chemical weapon attacks amid the ongoing conflict with Russia, crafting emails designed to appear as urgent safety advisories. These messages, machine-translated into Ukrainian, falsely claimed authorities were concealing imminent chemical strikes scheduled for 1:00 AM and urged recipients to review an attached document labeled “map of the zone of chemical damage.” The emails contained malicious Excel (XLS) files embedded with macros that, when enabled, initiated a multi-stage infection process. Upon execution, the macros retrieved and ran an executable payload from compromised third-party websites rather than direct attacker-controlled infrastructure, potentially complicating initial detection efforts. The final payload, identified as Jester Stealer, functioned as an information-stealing trojan targeting sensitive data across browsers, email clients, instant messaging applications, and cryptocurrency wallets.
The incident impacted victims through comprehensive data exfiltration, with stolen credentials, messages, and financial details transmitted to remote servers via Tor networks using AES-CBC-256 encryption. Jester Stealer further utilized private Telegram channels for data aggregation and featured anti-analysis mechanisms to evade detection in virtualized environments. CERT-UA confirmed the malware lacked persistence mechanisms, meaning manual termination or deletion could halt its operation. No attribution was provided for the campaign, though CERT-UA noted Jester Stealer’s commercial availability—$99 monthly or $249 for lifetime access—suggesting potential involvement of low-skilled actors. The campaign exploited wartime psychological pressures to increase open rates, underscoring its social engineering effectiveness. CERT-UA’s advisory focused on technical dissemination of the threat’s characteristics, delivery methods, and data theft mechanisms without detailing victim remediation efforts or broader containment measures beyond public notification.