Jump to content
  • A New Jupyter Malware Version is Being Distributed via MSI Installers

    aum

    • 409 views
    • 2 minutes
     Share


    • 409 views
    • 2 minutes

    Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

     

    The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases "how threat actors continue to develop their attacks to become more efficient and evasive." The Israeli company said it's currently investigating the scale and scope of the attacks.

     

    First documented in November 2020, Jupyter (aka Solarmarker) is likely Russian in origin and primarily targets Chromium, Firefox, and Chrome browser data, with additional capabilities that allow for full backdoor functionality, including features to siphon information and upload the details to a remote server and download and execute further payloads. Forensic evidence gathered by Morphisec shows that multiple versions of Jupyter began emerging starting May 2020.

     

    In August 2021, Cisco Talos attributed the intrusions to a "fairly sophisticated actor largely focused on credential and residual information theft." Cybersecurity firm CrowdStrike, earlier this February, described the malware as packing a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a .NET compiled backdoor.

     

    While previous attacks incorporated legitimate binaries of well-known software such as Docx2Rtf and Expert PDF, the latest delivery chain puts to use another PDF application called Nitro Pro. The attacks start with a deployment of an MSI installer payload that's over 100MB in size, allowing them to bypass anti-malware engines, and obfuscated using a third-party application packaging wizard called Advanced Installer.

     

    Running the MSI payload leads to the execution of a PowerShell loader embedded within a legitimate binary of Nitro Pro 13, two variants of which have been observed signed with a valid certificate belonging to an actual business in Poland, suggesting a possible certificate impersonation or theft. The loader, in the final-stage, decodes and runs the in-memory Jupyter .NET module.

     

    "The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating," Morphisec researcher Nadav Lorber said. "That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions."

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...