Cyble Research Labs have been actively monitoring various stealers, and recently we came across a malware sample which turned out to be Jester Stealer. Jester Stealer is an Info Stealer, which steals your sensitive information such as login credentials, cookies, credit card details, etc., and sends the exfiltrated data to Threat Actor (TA). Figure 1 shows one of the advertisements used by TAs.
Jester Stealer surfaced the cybercrime forums in July 2021. Figure 2 shows the post made by TA on a Cybercrime forum.
As per TA’s statement Jester Stealer the has following features:
⦁ Connection is encrypted using the AES-CBC-256 algorithm.
⦁ Servers can be located in the tor network.
⦁ All logs will be redirected to your telegram bot.
⦁ Swift log collection in memory without writing any data to disk.
During our investigations, we found that Jester Stealer has got seven updates and has attempted to increase its capability with every update. Apart from the features mentioned above, we found that the Stealer has an anti-sandbox and anti-VM feature. This stealer has the capability to exfiltrate data from various applications such as browsers, VPN clients, passwords managers, chat messengers, email clients, crypto wallets, and gaming software. The exfiltrated data goes as logs through TOR to Telegram Bot. In addition, if for some reason the log somehow did not reach the Telegram Bot, it would go to AnonFiles (anonymous file sharing platform).
Developers of Jester Stealer also provide a builder which creates custom malware binaries. The current builder offers the option to hide the .exe file using the extensions such as txt, jar, ps1, bat, png, doc, xls, pdf, mp3, mp4, and ppt.
Technical Analysis
During our static analysis, we found that Jester Stealer is a .Net-based malware. The malware also has a GitHub profile linked to it. Figure 6 shows the file information. In the later part of an infection, the malware uses the GitHub repository for downloading tor proxies.
The Jester stealer uses a custom decryption function, as shown in Figure 7. The function is used for decrypting information, such as Onion URL, TAs name, registry key, etc., used for stealing purposes.
The malware has several checks in-build, preventing the malware from executing it in the virtualization environment, as shown in Figure 8.
- First malware compares the string ” – -debug” with the command line parameter of the running sample. If matches, the malware identifies itself that it is being debugged and terminates its execution.
- The malware checks the presence of virtualization applications such as Virtulbox, vmbox, VMware, etc., and terminates its execution if they are identified to be running actively in the system.
- The malware specifically checks for a sandbox dll “SbieDll.dll” and terminates its execution if it is present in the infected machine.
- Finally, it uses anti-repeat technique to make sure the malware executes once. Upon execution, the malware creates a registry key value “state” and sets its to 1. When malware executes next time in the same machine, it checks the state from the registry and terminates if the value is already set. Figure 8 shows the new registry key added to achieve anti-repeat.
The malware generates the report after stealing information, as shown in Figure 10.
The malware creates text files such as AutoFill.txt, Cookies.txt, Tokens.txt, Account.txt, Credman.txt, Passwords.txt, Wallets.txt, Networks.txt, Autofill.txt, Vault.txt, Servers.txt, Bookmarks.txt, and CreditCards.txt to save the stolen data.
The malware also collects information from the infected machine, as shown in Figure 11. The malware stores all the stolen data in the memory during execution and zips it for exfiltration purposes.
The TOR proxy downloads from the GitHub repository and configures it over port 9050 for exfiltration, and it sends the data to a server hosted on the TOR. Figure 12 shows the code responsible for downloading the TOR proxy.
The malware uses the following decrypted onion URL for exfiltrating the data.
hxxp[:]//jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd[.]onion
If malware fails to send data to the TOR server, it tries uploading it to AnonFiles, a public file hosting server, as shown in Figure 13.
The zip file name of the stolen information has the following format.
- AttackerName_username_systemname.zip
After successful exfiltration, the malware self-deletes from the infected machine, as shown in Figure 14.
Conclusion
Stealers are evolving as one of the concerning threats. Exploiting human flaws in a security posture is easier for TAs than exploiting complex vulnerabilities. These attackers – also called “initial access brokers” – tend to use phishing campaigns to distribute such stealer malware and gather user credentials, system information, and even screenshots or data from their victims. In addition, the stealer finds use in carrying out various attacks like lateral movement and ransomware attacks. Using compromised credentials for attacks is a great way for criminals to stay under the radar and avoid tripping any security monitoring rules or triggering an incident response from blue teams.
Our Recommendations
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contain such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Credential Access | T1555 T1539 T1552 T1528 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token |
| Collection | T1113 | Screen Capture |
| Discovery | T1087 T1518 T1057 T1124 T1007 T1614 | Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Exfiltration | T1041 T1567 | Exfiltration Over C2 Channel Exfiltration Over Web Service |
Indicators of Compromise (IoCs)
| Indicators | Indicator type | Description |
| hxxp[:]//jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd[.]onion | URL | C2 URL |
| 8879ae061540ce3de496adec3683b0fe 4b5f73578a49ca01cc2ba7b414bcf1edfbefa079 10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b | Md5 SHA-1 SHA-256 | Stealer Payload |
| a30d170412986b90ce293b5a8ff7dfd8 a2d08c50f4adf4dabe5118ba390523e83b6ab246 0a5aa0a06a4d01dc423c4500d3278e61f03af07dd28ad299d29a6434026efebe | Md5 SHA-1 SHA-256 | Stealer Payload |
| 9196e0e3234ef664e828eba9628f468d 486d766fda3ad882d1cdb62e38de15f3041d0874 b1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483 | Md5 SHA-1 SHA-256 | Stealer Payload |
| c73c7c93101d4d741c79127a37d13d3a ed8558d02259f5766db38e04cc3a0397a2ca78be e4637b5597e15a276d2635c05ac4ea71a3d2ec3dee2435991868f12a09e45d58 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 7989d8fb3ec96482016acd52d56ea7f8 6ea8fc4269d1d6914337c922faf9b5b689a5b818 2a9904c9776ebb1843cc43ab3f70fa13083a37f44ffe965cf688788d5895ab14 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 3986844f88921ccaba28a173a843c27a 83eb4a253e3199a8647e74caeebd96a4a3079657 efe72384bb1fb454100492b73ba80496052816f8b40b0e26f3492dce9bea8938 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 26e71a30d1e8b43be1f16d3483d1d44c bbc0a01fc29f04a0b291222fe31cceeb7477aa80 ffddc659a5a95a821eb8479124b67decce76249ee7ec734bd766c02bd2f9242b | Md5 SHA-1 SHA-256 | Stealer Payload |
| 9378111ed1b30ad23d37d7d7c33345d1 5b6f37fb27d502f6c50ecac13bef06dcf597f0a9 2f6d1b66a3836d7eb9709592d530f2a1c8097b2c59ae7a51db9a5db8455d0294 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 952cd4334dc6b9c1a3e0d0ab64d5afb2 8e76ad772450473e469e4423375d3caa1968bb9a 8972f6b14be6dd613bcb67127323efd9cd4f2404d98eb66187d4881751fa63d0 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 90257b4f1de0e70235b2ff7419803afa 60cebe074e8303abf2c344a99c2e83bad5a0d9c3 81fcca2ba4b2af6081ff0291f7e5221ed811549b2b5e27e9456e19ed8f71c649 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 2cd2390f2138b725f4176343784c7705 e9309eda5a0b8d4a52da226089edc79278dec8b4 fda7f3bd7166684ae7b8b1d4e6212c73a4af21452c7d855675600c1cd064cbdd | Md5 SHA-1 SHA-256 | Stealer Payload |
Yara rule Jester_Stealer
{
strings:
$s1 = "github.com/L1ghtM4n" ascii fullword
$s2 = "Jester" ascii fullword
$s3 = "BitcoinCore" wide fullword
$s4 = "[AnonFile]" wide fullword
$s5 = ".onion" wide fullword
condition:
uint16(0) == 0x5A4D and all of ($s*)
}
