Originally, Jupyter infostealer is known for stealing data from popular browsers like Chrome and Firefox.
In 2020, Hackread reported about Jupyter, a trojan discovered by cyber security researchers at Morphisec Ltd. written in .NET and served as a potent information stealer.
The trojan is designed to steal data from systems and send it to the operator’s server. This trojan generally doesn’t have long-term objectives such as gaining persistence on the system or staying there for long. Back then, the trojan mainly targeted browsers like Chrome and Mozilla Firefox.
Now, Morphisec published a new report revealing that Jupyter has remained “active and highly evasive” since it was first discovered and continues to receive low-to-zero detections in the VirusTotal database. Hence, it can easily bypass detection from even the most effective solutions.
Multiple Targets Identified
On 8 September 2021, Morphisec discovered another delivery chain involving the use of Jupyter infostealer trojan. Reportedly, multiple high-level targets were identified that were the target of this trojan. This indicates threat actors are continuously developing their attack tactics to become more evasive and efficient.
The .NET DLL Payload
Researchers noted that while all the .NET DLL payloads remain obfuscated, the SP-10 variant comprises source-code strings like the trojan’s previous payloads. The payloads are generated with the Advanced Installer wizard trial version (version 18.6.1). The wizard is an all-in-one application packaging tool that lets attackers implement obscured script executions.
The MSI payload size has remained 100MBs, which allows it to evade online AV scanners. Generally, the payload naming convention involves document subjects, words separated with a ‘-‘or dash sign, words starting with a capital letter, etc.
Morphisec researchers wrote that all of the Jupyter variants they observed are described as Nitro Pro 13, an application used to create, edit, sign, and secure Portable Document Format files and digital documents.
When a targeted user runs the MSI payload, it executes a legit installation binary of Nitro Pro 13, whereas the delivery method disguises it as a PDF. There is just one variant that contains SumatraPDF instead of Nitro.
In contrast, two variants are signed with a valid but most likely stolen or impersonated certificate titled ‘TACHOPARTS SP Z O O.’ Presumably threat actor stole it from a Poland-based business. Conversely, another variant was signed with a revoked certificate titled ‘OOO Sistema,’ which also is stolen or impersonated and associated with a legitimate business.
The PowerShell command-line is generated by a feature in the Advanced Installer, which is designed to execute a PowerShell loader as a CustomAction attribute, spawned by msiexec.exec.
“The file names within the parameters differ between variants but keep the same pattern. For example, in ‘scrEA14.ps1’, the EA14 is represented by four hex characters. These four characters are different from the payload variants. The PowerShell file in the -scriptFile parameter presented in Code block 1 represents the Jupyter PowerShell loader,” researchers noted,
This loader is similar to Jupyter trojan’s previous loaders since it keeps an evasive file with low to 0 detections on VirusTotal, a rarity for a full PowerShell loader.
To conclude, this trend is nothing new in itself because researchers have constantly observed new variants of existing malware types being developed and even going unnoticed. Such research reports are a relief in the face of such calamities helping the cybersecurity community mend its blind spots.