The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Jester Stealer

Mar 10, 2022 10:10:05 AM / by PolySwarm Tech Team

JesterStealer_Blog

Background

Cyble recently published research on Jester Stealer, an info stealer known to harvest login credentials, cookies, payment card details, and other information.
What is Jester Stealer?

Jester Stealer, written in .NET,  was first seen on cybercrime forums in mid-2021. The threat actors behind Jester Stealer advertised it as having the following functionality: 

  • Encrypted connection using the AES-CBC-256 algorithm
  • Servers located on the TOR network
  • Logs redirected to a Telegram bot
  • Log collection in memory without writing data to the disk

Anti-sandbox and anti-VM features were added later in an attempt to thwart reverse engineering.

Additionally, Jester Stealer collects information from the following:

  • Browsers (over 20 supported)
  • Email clients (Thunderbird, Outlook, FoxMail)
  • Messengers (Telegram, Discord, WhatsApp, Signal, Pidgin)
  • Cold crypto wallets
  • Browser crypto extensions
  • Password managers
  • VPN clients
  • FTP
  • Gaming software (Steam, Twitch, OBS)
  • System credentials

So far, Cyble has observed Jester Stealer undergoing seven updates, with each update attempting to increase the malware’s functionality. Jester Stealer can harvest the types of information noted above and send it as logs via TOR to a Telegram bot. Alternatively, the logs can be sent to AnonFiles. The threat actors selling Jester Stealer also provide a builder to create custom malware binaries, with a variety of extensions including txt, jar, ps1, bat, png, doc, xls, pdf, mp3, mp4, and ppt to hide the .EXE.

Cyble notes that initial access brokers can use Jester Stealer and other info stealers to harvest credentials and lay the groundwork for future attacks involving lateral movement or ransomware.

IOCs

PolySwarm has multiple samples of Jester Stealer.

10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b

0a5aa0a06a4d01dc423c4500d3278e61f03af07dd28ad299d29a6434026efebe

B1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483

2a9904c9776ebb1843cc43ab3f70fa13083a37f44ffe965cf688788d5895ab14

Ffddc659a5a95a821eb8479124b67decce76249ee7ec734bd766c02bd2f9242b

8972f6b14be6dd613bcb67127323efd9cd4f2404d98eb66187d4881751fa63d0

81fcca2ba4b2af6081ff0291f7e5221ed811549b2b5e27e9456e19ed8f71c649

Fda7f3bd7166684ae7b8b1d4e6212c73a4af21452c7d855675600c1cd064cbdd

You can use the following CLI command to search for all Jester Stealer samples in our portal:

$ polyswarm link list -f JesterStealer


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Jester Stealer, Stealer

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts