Cyble-Jester-Stealer-Blog

Jester Stealer: An Emerging Info Stealer

Cyble Research Labs have been actively monitoring various stealers, and recently we came across a malware sample which turned out to be Jester Stealer. Jester Stealer is an Info Stealer, which steals your sensitive information such as login credentials, cookies, credit card details, etc., and sends the exfiltrated data to Threat Actor (TA). Figure 1 shows one of the advertisements used by TAs.

Figure 1: Jester Stealer Advertisement

Jester Stealer surfaced the cybercrime forums in July 2021. Figure 2 shows the post made by TA on a Cybercrime forum.

Figure 2: Jester Stealer Post on a Cybercrime Forum

As per TA’s statement Jester Stealer the has following features:

⦁ Connection is encrypted using the AES-CBC-256 algorithm.

⦁ Servers can be located in the tor network.

⦁ All logs will be redirected to your telegram bot.

⦁ Swift log collection in memory without writing any data to disk.

Figure 3: Jester Stealer Features

During our investigations, we found that Jester Stealer has got seven updates and has attempted to increase its capability with every update. Apart from the features mentioned above, we found that the Stealer has an anti-sandbox and anti-VM feature. This stealer has the capability to exfiltrate data from various applications such as browsers, VPN clients, passwords managers, chat messengers, email clients, crypto wallets, and gaming software. The exfiltrated data goes as logs through TOR to Telegram Bot. In addition, if for some reason the log somehow did not reach the Telegram Bot, it would go to AnonFiles (anonymous file sharing platform). 

Figure 4: Jester Stealer Functionalities

Developers of Jester Stealer also provide a builder which creates custom malware binaries. The current builder offers the option to hide the .exe file using the extensions such as txt, jar, ps1, bat, png, doc, xls, pdf, mp3, mp4, and ppt.

Figure 5: Jester Stealer Telegram Channel

Technical Analysis

During our static analysis, we found that Jester Stealer is a .Net-based malware. The malware also has a GitHub profile linked to it. Figure 6 shows the file information. In the later part of an infection, the malware uses the GitHub repository for downloading tor proxies.

Figure 6: File Information

The Jester stealer uses a custom decryption function, as shown in Figure 7. The function is used for decrypting information, such as Onion URL, TAs name, registry key, etc., used for stealing purposes.

Figure 7: Custom decryption function

The malware has several checks in-build, preventing the malware from executing it in the virtualization environment, as shown in Figure 8.

Figure 8: Anti-sandbox and Anti-VM Check
  • First malware compares the string ” – -debug” with the command line parameter of the running sample. If matches, the malware identifies itself that it is being debugged and terminates its execution.
  • The malware checks the presence of virtualization applications such as Virtulbox, vmbox, VMware, etc., and terminates its execution if they are identified to be running actively in the system.
  • The malware specifically checks for a sandbox dll  “SbieDll.dll” and terminates its execution if it is present in the infected machine.
  • Finally, it uses anti-repeat technique to make sure the malware executes once. Upon execution, the malware creates a registry key value “state” and sets its to 1. When malware executes next time in the same machine, it checks the state from the registry and terminates if the value is already set. Figure 8 shows the new registry key added to achieve anti-repeat.
Figure 9: Registry Key added

The malware generates the report after stealing information, as shown in Figure 10.

Figure 10: Stealing Data

The malware creates text files such as AutoFill.txt, Cookies.txt, Tokens.txt, Account.txt, Credman.txt, Passwords.txt, Wallets.txt, Networks.txt, Autofill.txt, Vault.txt, Servers.txt, Bookmarks.txt, and CreditCards.txt to save the stolen data.

The malware also collects information from the infected machine, as shown in Figure 11. The malware stores all the stolen data in the memory during execution and zips it for exfiltration purposes.

Figure 11: Sample exfiltrated data

The TOR proxy downloads from the  GitHub repository and configures it over port 9050 for exfiltration, and it sends the data to a server hosted on the TOR. Figure 12 shows the code responsible for downloading the TOR proxy. 

Figure 12: Download tor proxy

 The malware uses the following decrypted onion URL for exfiltrating the data.

hxxp[:]//jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd[.]onion

If malware fails to send data to the TOR server, it tries uploading it to AnonFiles, a public file hosting server, as shown in Figure 13.

The zip file name of the stolen information has the following format.

  • AttackerName_username_systemname.zip
Figure 13: File Uploaded to anonfiles

After successful exfiltration, the malware self-deletes from the infected machine, as shown in Figure 14.

Figure 14: Self-delete

Conclusion

Stealers are evolving as one of the concerning threats. Exploiting human flaws in a security posture is easier for TAs than exploiting complex vulnerabilities. These attackers – also called “initial access brokers” – tend to use phishing campaigns to distribute such stealer malware and gather user credentials, system information, and even screenshots or data from their victims. In addition, the stealer finds use in carrying out various attacks like lateral movement and ransomware attacks. Using compromised credentials for attacks is a great way for criminals to stay under the radar and avoid tripping any security monitoring rules or triggering an incident response from blue teams.

Our Recommendations

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contain such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
Execution T1204User Execution
Defense EvasionT1497.001Virtualization/Sandbox Evasion: System Checks
Credential AccessT1555
T1539
T1552
T1528
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
Steal Application Access Token
CollectionT1113Screen Capture
DiscoveryT1087
T1518
T1057
T1124
T1007
T1614
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery  
Command and ControlT1095Non-Application Layer Protocol
ExfiltrationT1041
T1567
Exfiltration Over C2 Channel
Exfiltration Over Web Service    

Indicators of Compromise (IoCs)  

IndicatorsIndicator typeDescription
hxxp[:]//jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd[.]onionURLC2 URL
8879ae061540ce3de496adec3683b0fe
4b5f73578a49ca01cc2ba7b414bcf1edfbefa079 10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b
Md5 SHA-1 SHA-256Stealer Payload
a30d170412986b90ce293b5a8ff7dfd8 a2d08c50f4adf4dabe5118ba390523e83b6ab246 0a5aa0a06a4d01dc423c4500d3278e61f03af07dd28ad299d29a6434026efebeMd5 SHA-1 SHA-256Stealer Payload
9196e0e3234ef664e828eba9628f468d 486d766fda3ad882d1cdb62e38de15f3041d0874 b1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483Md5 SHA-1 SHA-256Stealer Payload
c73c7c93101d4d741c79127a37d13d3a ed8558d02259f5766db38e04cc3a0397a2ca78be e4637b5597e15a276d2635c05ac4ea71a3d2ec3dee2435991868f12a09e45d58Md5 SHA-1 SHA-256Stealer Payload
7989d8fb3ec96482016acd52d56ea7f8 6ea8fc4269d1d6914337c922faf9b5b689a5b818 2a9904c9776ebb1843cc43ab3f70fa13083a37f44ffe965cf688788d5895ab14Md5 SHA-1 SHA-256Stealer Payload
3986844f88921ccaba28a173a843c27a 83eb4a253e3199a8647e74caeebd96a4a3079657 efe72384bb1fb454100492b73ba80496052816f8b40b0e26f3492dce9bea8938Md5 SHA-1 SHA-256Stealer Payload
26e71a30d1e8b43be1f16d3483d1d44c bbc0a01fc29f04a0b291222fe31cceeb7477aa80 ffddc659a5a95a821eb8479124b67decce76249ee7ec734bd766c02bd2f9242bMd5 SHA-1 SHA-256Stealer Payload
9378111ed1b30ad23d37d7d7c33345d1 5b6f37fb27d502f6c50ecac13bef06dcf597f0a9 2f6d1b66a3836d7eb9709592d530f2a1c8097b2c59ae7a51db9a5db8455d0294Md5 SHA-1 SHA-256Stealer Payload
952cd4334dc6b9c1a3e0d0ab64d5afb2 8e76ad772450473e469e4423375d3caa1968bb9a 8972f6b14be6dd613bcb67127323efd9cd4f2404d98eb66187d4881751fa63d0Md5 SHA-1 SHA-256Stealer Payload
90257b4f1de0e70235b2ff7419803afa 60cebe074e8303abf2c344a99c2e83bad5a0d9c3 81fcca2ba4b2af6081ff0291f7e5221ed811549b2b5e27e9456e19ed8f71c649Md5 SHA-1 SHA-256Stealer Payload
2cd2390f2138b725f4176343784c7705 e9309eda5a0b8d4a52da226089edc79278dec8b4 fda7f3bd7166684ae7b8b1d4e6212c73a4af21452c7d855675600c1cd064cbddMd5 SHA-1 SHA-256Stealer Payload

Yara rule Jester_Stealer

{
     strings:

     	$s1 = "github.com/L1ghtM4n" ascii fullword
     	$s2 = "Jester" ascii fullword
     	$s3 = "BitcoinCore" wide fullword
     	$s4 = "[AnonFile]" wide fullword
     	$s5 = ".onion" wide fullword

     condition:
     	uint16(0) == 0x5A4D and all of ($s*)
}
Scroll to Top