Pierluigi Paganini
September 27, 2021
Cybersecurity researchers from Morphisec have spotted a new version of the Jupyter infostealer that continues to be highly evasive.
In November 2020, researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims.
The Jupyter malware is able to collect data from multiple applications, including major Browsers (Chromium-based browsers, Firefox, and Chrome) and is also able to establish a backdoor on the infected system.
“Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” reads the analysis published by Morphisec. “These include:
The experts spotted the infostealer during a routine incident response process in October, but according to forensic data earlier versions of the info-stealer have been developed since May.
The malware was continuously updated to evade detection and include new information-stealing capabilities, the most recent version was created in early November.
At the time of its discovery, the attack chain starwas starting with downloading a ZIP archive containing an installer (Inno Setup executable) masqueraded as legitimate software (i.e. Docx2Rtf).
On 8 September 2021, the researchers observed a new delivery chain that was able to avoid detection by using an MSI payload that executes a legitimate installation binary of Nitro Pro 13.
legitimate binaries
The MSI installer payload is over 100MB in size to bypass online AV scanners and is obfuscated using a third-party ‘All-in-one’ application packaging tool called Advanced Installer.
Upon executing the MSI payload, a PowerShell loader embedded within a legitimate binary of Nitro Pro 13 is executed.
“This loader is very similar to the previous Jupyter loaders in that it keeps a very evasive file with low to 0 detections on VirusTotal, which is rare for a full PowerShell loader (loader code with an embedded payload).” reads the analysis published by the experts. “While the Jupyter loaders are widely covered in our and other blogs, the new variant shares the same code pattern. The following code block is an example of a deobfuscated and beautified version of it”
Two of the variants analyzed by the researchers are signed with a valid certificate issued to a Polish business named ‘TACHOPARTS SP Z O O’. Another variant analyzed by the experts was signed with a revoked certificate named ‘OOO Sistema.’
“The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating. That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions.” concludes the experts. “It’s clear that a new approach is required to threat prevention, as it’s likely these evasive attacks will continue.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
