[BreachExchange] A New Jupyter Malware Version is Being Distributed via MSI Installers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Sep 27 09:06:19 EDT 2021


https://thehackernews.com/2021/09/a-new-jupyter-malware-version-is-being.html

Cybersecurity researchers have charted the evolution of Jupyter, a .NET
infostealer known for singling out healthcare and education sectors, which
make it exceptional at defeating most endpoint security scanning solutions.

The new delivery chain, spotted by Morphisec on September 8, underscores
that the malware has not just continued to remain active but also showcases
"how threat actors continue to develop their attacks to become more
efficient and evasive." The Israeli company said it's currently
investigating the scale and scope of the attacks.

First documented in November 2020, Jupyter (aka Solarmarker) is likely
Russian in origin and primarily targets Chromium, Firefox, and Chrome
browser data, with additional capabilities that allow for full backdoor
functionality, including features to siphon information and upload the
details to a remote server and download and execute further payloads.
Forensic evidence gathered by Morphisec shows that multiple versions of
Jupyter began emerging starting May 2020.

In August 2021, Cisco Talos attributed the intrusions to a "fairly
sophisticated actor largely focused on credential and residual information
theft." Cybersecurity firm CrowdStrike, earlier this February, described
the malware as packing a multi-stage, heavily obfuscated PowerShell loader,
which leads to the execution of a .NET compiled backdoor.

While previous attacks incorporated legitimate binaries of well-known
software such as Docx2Rtf and Expert PDF, the latest delivery chain puts to
use another PDF application called Nitro Pro. The attacks start with a
deployment of an MSI installer payload that's over 100MB in size, allowing
them to bypass anti-malware engines, and obfuscated using a third-party
application packaging wizard called Advanced Installer.

Running the MSI payload leads to the execution of a PowerShell loader
embedded within a legitimate binary of Nitro Pro 13, two variants of which
have been observed signed with a valid certificate belonging to an actual
business in Poland, suggesting a possible certificate impersonation or
theft. The loader, in the final-stage, decodes and runs the in-memory
Jupyter .NET module.

"The evolution of the Jupyter infostealer/backdoor from when we first
identified it in 2020 proves the truth of the statement that threat actors
are always innovating," Morphisec researcher Nadav Lorber said. "That this
attack continues to have low or no detections on VirusTotal further
indicates the facility with which threat actors evade detection-based
solutions."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210927/255969ac/attachment.html>


More information about the BreachExchange mailing list