New Jupyter information stealer appeared in the threat landscape

Pierluigi Paganini November 16, 2020

Russian-speaking threat actors have been using a piece of malware, dubbed Jupyter malware, to steal information from their victims.

Researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims.

The Jupyter malware is able to collect data from multiple applications, including major Browsers (Chromium-based browsers, Firefox, and Chrome) and is also able to establish a backdoor on the infected system.

“Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” reads the analysis published by Morphisec. “These include:

  • a C2 client
  • download and execute malware
  • execution of PowerShell scripts and commands
  • hollowing shellcode into legitimate windows configuration applications.”

The experts spotted the new threat during a routine incident response process in October, but according to forensic data earlier versions of the info-stealer have been developed since May.

The malware was continuously updated to evade detection and include new information-stealing capabilities, the most recent version was created in early November.

The attack chain starts with downloading a ZIP archive containing an installer (Inno Setup executable) masqueraded as legitimate software (i.e. Docx2Rtf). Experts pointed out that the installers have maintained a VirusTotal detection rate of 0 over the last 6 months.

The initial installers pose as Microsoft Word documents and use the following names:

  • The-Electoral-Process-Worksheet-Key.exe
  • Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe
  • Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe
  • Sample-Letter-For-Emergency-Travel-Document

Upon executing the installer, a .NET C2 client (Jupyter Loader) is injected into the memory using a process hollowing technique. The injected process is a .NET loader that acts as the client for the command and control server.

“The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation.” continues Morphisec. “These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.”

The author of the malware replaced the process hollowing with a PowerShell command to run the payload in memory.

The latest versions the installer also rely on the PoshC2 framework to establish persistence on the machine by creating a shortcut LNK file and placing it in the startup folder. The experts collected multiple evidence that linked the malicious code to Russian threat actors.

Morphisec’s researchers discovered that many of the C2 Jupyter servers were located in Russia, some of them are currently inactive.

The experts also noticed that a typo that is consistent with the Jupyter name converted from Russian and found images of the Jupyter’s administration panel on a Russian-language forum.

Jupyter admin-panel

The experts believe that threat actors behind the Jupyter malware will implement new features to keeps it under the radar and to gather more information from the victims’ machines.

Morphisec provided more technical details about the Jupyter attack in a report that could be downloaded here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, info-stealer)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment