Security researchers spotted a new piece of infostealing malware called Jupyter. The malware is a .NET infostealer that primarily targets Chromium, Firefox, and Chrome browser data, say Morphisec researchers.
According to the research, the malware demonstrates many capabilities that enable a full backdoor functionality. These capabilities include a command-and-control client, the download and execution of malware and PowerShell scrips, as well as shellcode inserted into legitimate Windows configuration apps.
How does the Jupyter attack start?
Jupyter’s attack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf. Some of these installers have maintained 0 detections in VirusTotal over the last 6 months, making it exceptional at bypassing most endpoint security scanning controls, Morphisec says.
Once the installer is executed, the Jupyter loader in the form of a .NET client is injected into the memory. The client is characterized by a well-built communication protocol, versioning matrix, and persistence modules.
The next stage includes the execution of a PowerShell command, which activates the .NET module. Both .NET components present similar code structures, code obfuscation, and unique UID implementation. All of these elements point to an end-to-end framework designed to implement the infostealer into compromised systems.
When did the first Jupyter attacks take place?
The researchers have been observing a steady flow of forensic data pointing to Jupyter since May this year. “While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them,” Morphisec adds.
There is more evidence revealing that the attacks are Russian, such as the misspelling of the planet Jupiter’s name. “Additionally, Morphisec researchers ran a reverse Google Image search of the C2 admin panel image and were not surprised to find the exact image on Russian-language forums,” the researchers conclude.
Another example of a notable Trojan with information-stealing capabilities is the Astaroth malware.