A phishing campaign has been identified that warns of chemical weapon attacks on Ukrainian citizens in an attempt to infect devices with Jester malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a security advisory about the mass distribution of these malicious emails targeting Ukrainian citizens.
The emails have the subject line “chemical attack” and warn in Ukrainian that information has been received that indicates chemical weapons will be used at 01:00, and that the authorities are not alerting the public to the threat so as not to cause panic. The emails claim to provide information on where the chemical weapons will be used and provide information on the location of shelters where people will be safe. That information is provided in a document, a link to which is included in the email.
If the hyperlink is clicked, the user will be directed to an XLS spreadsheet hosted on a compromised website. The XLS spreadsheet contains a malicious macro that will run if the document is opened and the content is enabled. The macro delivers an .EXE payload from a remote server and executes that file, which delivers Jester malware.
Jester malware is an information stealer that was first identified in February 2022. The malware can steal and exfiltrate login credentials, cookies, crypto wallets, passwords stored in browsers, messages in email clients, IM chat data, and other information. The malware uses AES-CBC-256 encryption for communications with its TOR network servers and for transmitting stolen data to private Telegram channels. The malware has anti-analysis features to detect when it is in a sandbox or virtual machine and lacks a mechanism for persistence, so will be removed after its operations have been performed and the program is closed.
CERT-UA has not uncovered evidence about the threat actors behind the campaign, so it is unknown if this is an attack by a pro-Russian hacking group or an opportunistic cybercriminal gang. Since Jester malware is widely available and is licensed at $99 per month or $249 for lifetime use, the campaign is unlikely to have been conducted by a nation-state threat actor.
The phishing emails in this campaign use tried and tested methods to maximize the chance of the emails being opened and the malicious file being executed. There is a clear threat, urgency, and potential for bad consequences if no action is taken. Since the invasion of Ukraine, citizens have been on high alert and have been living with the fear of chemical weapon attacks, so there is a high probability that the emails will be opened.
Regardless of the seriousness of the threat outlined in an email, it is important to continue to follow email security best practices and not to follow links or open email attachments in unsolicited emails.