Possible Link Between Jester Stealer and Eternity Stealer
Jester stealer first appeared in the underground in mid-July 2021 and is an information stealer developed in .NET, as part of the “Jester” threat group arsenal. The malware steals credentials from different sources, such as Windows Vaults, browsers, wallets, password managers, and messaging applications among others, and also collects information about the infected system, grabs files from predefined locations and takes screenshots.
The exfiltration mechanism varies between versions, but common to all of them is the use of a proxy, either Tor proxy, the default dotNET web proxy or a hardcoded IP-port pair. Some versions also had an option for exfiltrating the stolen data as a zipped file to AnonFiles, using a predefined token, and new versions of the stealer are being released on a regular basis with new functionalities.
In mid-January, Jester’s main seller disappeared and stopped responding to messages and blocking customers. Several messages appeared on the Telegram channel and forums warning about the scam. Subsequently, other profiles started to appear on the Telegram channel under the same scheme as Jester's group including "EternityProject" and "AgratProject". Our research confirms that Eternity Stealer is an evolution or re-brand of Jester stealer, due to the strong resemblance in the code of both stealers, which is almost the same but includes some new features.
The Jester Stealer Actor
At the time of writing this blogpost, Jester_Stealer user had been banned from most of the forums where it was sold.
Jester_Stealer present themselves as a group of programmers. Nevertheless, in several sample references to a GitHub profile associated with "LightMan" actor, also "L1ghtM4n" or "LightM4n", were found. LightMan was the developer behind Vulturi software, which was cracked by two users of the LampRET forum. LightMan users in Telegram warned users on Jester_Stealer's Telegram channel that the main seller was gone with customer's money, encouraging the users of Jester to write to Lightman's Telegram account. Not long after that, LightMan was recommending Eternity Stealer in other underground forums.
It is also worth mentioning the case of another Telegram Channel, “@jesterlab”, which now appears under the name "EternityLab". Initially it was selling Jester's tools and from mid-January it changed to Eternity's products. Also, some messages were forwarded from Eternity Project's Telegram channel.
EternityTeam profile was created in BDFClub forums just a day after Jester's main seller scam was reported. The advertisement style reminded of the one used by Jester_Stealer group and demonstrates how fast threat actors adapt to attempt a similar style attack under a new pseudonym. Also, the variety of tools initially offered by EternityTeam was highly similar to the ones sold by Jester_Stealer, including a worm, a clipper, and a miner, but also adding new ones as a ransomware. In some Eternity binaries references to LightMan were also observed.
AgratProject is another threat actor that is offering equivalent products to those offered by EternityTeam. The actor itself confirmed that the code of both Agrat and Eternity stealers is the same since the developer is the same.
In this report we will delve into Jester stealer functionalities, performing a code-level analysis of its main technical features. Subsequently, we will dig into the possible relations between Jester stealer and Eternity stealer, as well as other linked groups and profiles. Finally, we will mention the evolution between Jester's versions, including Eternity Stealer.