Russian-speaking hackers have been using a new malware to steal information from their victims. Named Jupyter, the threat has kept a low profile and benefited from a fast development cycle.
While Jupyter’s purpose is to collect data from various software, the malicious code supporting its delivery can also be used to create a backdoor on an infected system.
Russian-speaking hackers have been using a new malware to steal information from their victims. Named Jupyter, the threat has kept a low profile and benefited from a fast development cycle.
While Jupyter’s purpose is to collect data from various software, the malicious code supporting its delivery can also be used to create a backdoor on an infected system.
Installer evades detection for 6 months
A variant of the malware emerged during an incident response engagement in October at a University in the U.S. But forensic data indicates that earlier versions have been developed since May.
Researchers at cybersecurity company Morphisec discovered that the developers of the attack kit were highly active, some components receiving more than nine updates in a single month.
The most recent version was created in early November but it does not include significant changes. The constant modification of the code, though, allows it to evade detection and enables Jupyter to collect more data from compromised systems.
Jupyter is .NET-based and focuses on stealing data from Chromium, Mozilla Firefox, and Google Chrome web browsers: cookies, credentials, certificates, autocomplete info.
Delivering the stealer starts with downloading an installer (Inno Setup executable) in a ZIP archive that poses as legitimate software. According to Morphisec, some of these installers went fully undetected on the VirusTotal scanning platform for the last six months.
The installer leverages the process hollowing technique to inject into the memory of a process a .NET loader acting as the client for the command and control server.
“The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module,” Morphisec explains.
In a later version of the installer, the developers switched from process hollowing to a PowerShell command to run in memory.
All these capabilities – the C2 client, downloading and executing malware, PowerShell scripts, and commands, and the process hollowing technique – enable the extended backdoor functions.
From what Morphisec observed, the initial installers that start the attack chain pose as Microsoft Word documents and use the following names:
- The-Electoral-Process-Worksheet-Key.exe
- Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe
- Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe
- Sample-Letter-For-Emergency-Travel-Document
Legit decoys, pentest toolkit
The installers runs legitimate tools like Docx2Rtf and Magix Photo Manager to create a diversion while dropping in the background two PowerShell scripts, one encoded and decoded by the other.
The latest versions of the initial installer also rely on the PoshC2 framework used in penetration testing to establish persistence on the machine by creating a shortcut LNK file and placing it in the startup folder.
Morphisec’s report covers technical details for the tools and scripts used in a Jupyter attack, tracing the evolution of the components and exposing their inner workings. Indicators of compromise are also available.
Russian links
The researchers say that many of the C2 Jupyter servers were located in Russia. A large number of them are currently inactive.
The link to Russian-speaking developers is stronger than this, though, as Morphisec noticed a typo that is consistent to the Jupyter name converted from Russian.
Further evidence supporting this theory came after running a reverse image search for Jupyter’s administration panel, which showed a result on a Russian-language forum.
Morphisec says that the constant development of this infostealer translates into adding new elements that keeps it under the radar. Moreover, the developers extend the range of information targeted.
To read the original article: