Jupyter Infostealer Description
The Jupyter Infostealer is a new strain of a .NET malware that has been designed to harvest specific data from the compromised computers. The threat appears to target three major groups of mainstream browser - Chrome, Chromium-based browser and Firefox. Jupyter's threatening operations have been expanded to a level beyond a simple infostealer with the addition of backdoor capabilities. The threat has an established Command-and-Control (C2, C&C) infrastructure, it can download and execute additional malware payloads, and execute arbitrary PowerShell commands and scripts.
According to the researchers at Morphisec, this particular infostealer threat has been developed by a Russian-based or Russian-speaking hacker group. Multiple facts support the researcher's conclusion - a significant portion of the C2 infrastructure set up for Jupyter is located in Russia, a typo of the Jupyter found in the code of the threat is common when the name is converted from Russian, and quite tellingly images of Jupyter's administration panel has been discovered as posts on a Russian hacker forum.
The Jupyter Infostealer's attack chain begins with the dissemination of phishing emails carrying poisoned archive attachments. The .ZIP archives contain the corrupted installer of the threat disguised as an innocent Word document. The hackers use several different names for the malware-laced documents in an attempt to lure the victim into executing them. Some of the names include:
If the victim falls down for the trap, the installer will proceed to inject a .NET loader in memory through a process hollowing technique. The process acts as a C2 client, listening for commands sent by the attackers. The next phase of the attack chain consists of downloading a PowerShell command responsible for executing the Jupyter Infostealer .NET module in memory.
Analysis of several Jupyter samples shows that the threat is under active development that could further expand its potency. For example, later, Jupyter versions can achieve persistence on the compromised system - through the use of the PoshC2 framework, a shortcut .LNK file is placed in the startup folder of the operating system.