Cyber Incident Victim: KP in Ukraine
Date:
May 2022
Location:
Ukraine
Summary
A phishing campaign targeted Ukrainian recipients with emails warning of imminent chemical attacks to induce opening malicious XLS attachments containing macros, which downloaded and executed Jester Stealer malware from compromised websites. The stealer harvested sensitive data including passwords, email messages, cryptocurrency details, and communications from browsers and applications, exfiltrating it via Tor-encrypted channels to Telegram. The malware lacked persistence mechanisms but employed anti-analysis features to evade detection in virtual environments. While the threat actors remain unidentified, the use of affordably leased malware suggests opportunistic attackers aimed at credential theft for financial gain or resale on dark web markets, exploiting wartime fears in the country.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2022, Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning regarding a widespread phishing campaign distributing Jester Stealer malware. Threat actors exploited heightened fears of chemical weapon attacks during the Russia-Ukraine conflict by sending emails falsely warning recipients of imminent chemical strikes scheduled for 1:00 AM. The messages urged immediate action, instructing recipients to review an attached document labeled “map of the zone of chemical damage” and to disseminate the information widely to save lives. These emails contained malicious Excel (XLS) files designed to execute macros upon opening, which then downloaded and executed an EXE payload from compromised third-party websites rather than directly from attacker-controlled infrastructure. The payload deployed Jester Stealer, an information-stealing malware known for its affordability and extensive data-theft capabilities. Upon execution, the malware harvested sensitive information from victims’ systems, including browser-stored account credentials, email client messages, instant messaging application discussions, and cryptocurrency wallet details. The stolen data was transmitted to remote servers via Tor network channels using AES-CBC-256 encryption and forwarded to private Telegram channels controlled by the threat actors.
Jester Stealer’s operational characteristics included anti-analysis features to evade detection in virtual machine environments, though it lacked persistence mechanisms, meaning manual termination and deletion of the malware prevented reinfection. CERT-UA confirmed the campaign’s distribution method and payload but did not attribute the activity to any specific threat group or nation-state actor. The malware’s licensing model—available for $99 monthly or $249 for lifetime access—suggested involvement by low-skilled opportunists rather than advanced persistent threats. The incident leveraged psychological manipulation tied to wartime anxieties to increase the likelihood of successful infections, with compromised websites serving as intermediary payload sources to obscure the attackers’ infrastructure. While the full scope of impacted systems was not disclosed, the campaign’s mass distribution strategy indicated intent to compromise a broad range of Ukrainian targets, potentially enabling follow-on attacks using exfiltrated credentials or financial data. CERT-UA’s advisory focused on technical analysis of the malware and delivery mechanism without detailing specific victim remediation efforts or broader containment measures beyond public notification.