430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Jupyter infostealer continues to evolve and is distributed via MSI installers

Cybersecurity researchers spotted a new version of the Jupyter infostealer which is distributed via MSI installers. Cybersecurity researchers from Morphisec have spotted a new version of the Jupyter infostealer that continues to be highly evasive. In November 2020, researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, […]

Jupyter admin-panel

Cybersecurity researchers spotted a new version of the Jupyter infostealer which is distributed via MSI installers.

Cybersecurity researchers from Morphisec have spotted a new version of the Jupyter infostealer that continues to be highly evasive.

In November 2020, researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims.

The Jupyter malware is able to collect data from multiple applications, including major Browsers (Chromium-based browsers, Firefox, and Chrome) and is also able to establish a backdoor on the infected system.

“Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” reads the analysis published by Morphisec. “These include:

  • a C2 client
  • download and execute malware
  • execution of PowerShell scripts and commands
  • hollowing shellcode into legitimate windows configuration applications.”

The experts spotted the infostealer during a routine incident response process in October, but according to forensic data earlier versions of the info-stealer have been developed since May.

The malware was continuously updated to evade detection and include new information-stealing capabilities, the most recent version was created in early November.

At the time of its discovery, the attack chain starwas starting with downloading a ZIP archive containing an installer (Inno Setup executable) masqueraded as legitimate software (i.e. Docx2Rtf).

On 8 September 2021, the researchers observed a new delivery chain that was able to avoid detection by using an MSI payload that executes a legitimate installation binary of Nitro Pro 13.

legitimate binaries

The MSI installer payload is over 100MB in size to bypass online AV scanners and is obfuscated using a third-party ‘All-in-one’ application packaging tool called Advanced Installer.

Upon executing the MSI payload, a PowerShell loader embedded within a legitimate binary of Nitro Pro 13 is executed.

“This loader is very similar to the previous Jupyter loaders in that it keeps a very evasive file with low to 0 detections on VirusTotal, which is rare for a full PowerShell loader (loader code with an embedded payload).” reads the analysis published by the experts. “While the Jupyter loaders are widely covered in our and other blogs, the new variant shares the same code pattern. The following code block is an example of a deobfuscated and beautified version of it”

Two of the variants analyzed by the researchers are signed with a valid certificate issued to a Polish business named ‘TACHOPARTS SP Z O O’. Another variant analyzed by the experts was signed with a revoked certificate named ‘OOO Sistema.’

“The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating. That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions.” concludes the experts. “It’s clear that a new approach is required to threat prevention, as it’s likely these evasive attacks will continue.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]