A New Jupyter Malware Model is Being Distributed through MSI Installers

Jupyter Malware

Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer identified for singling out healthcare and training sectors, which make it distinctive at defeating most endpoint safety scanning options.

The brand new supply chain, noticed by Morphisec on September 8, underscores that the malware has not simply continued to stay lively but in addition showcases “how risk actors proceed to develop their assaults to develop into extra environment friendly and evasive.” The Israeli firm mentioned it is at present investigating the dimensions and scope of the assaults.

First documented in November 2020, Jupyter (aka Solarmarker) is probably going Russian in origin and primarily targets Chromium, Firefox, and Chrome browser knowledge, with further capabilities that enable for full backdoor performance, together with options to siphon info and add the main points to a distant server and obtain and execute additional payloads. Forensic proof gathered by Morphisec exhibits that a number of variations of Jupyter started rising beginning Could 2020.

In August 2021, Cisco Talos attributed the intrusions to a “pretty refined actor largely targeted on credential and residual info theft.” Cybersecurity agency CrowdStrike, earlier this February, described the malware as packing a multi-stage, closely obfuscated PowerShell loader, which results in the execution of a .NET compiled backdoor.

Prevent Data Breaches

Whereas earlier assaults included authentic binaries of well-known software program comparable to Docx2Rtf and Knowledgeable PDF, the most recent supply chain places to make use of one other PDF software referred to as Nitro Professional. The assaults begin with a deployment of an MSI installer payload that is over 100MB in measurement, permitting them to bypass anti-malware engines, and obfuscated utilizing a third-party software packaging wizard referred to as Superior Installer.

Working the MSI payload results in the execution of a PowerShell loader embedded inside a authentic binary of Nitro Professional 13, two variants of which have been noticed signed with a legitimate certificates belonging to an precise enterprise in Poland, suggesting a potential certificates impersonation or theft. The loader, within the final-stage, decodes and runs the in-memory Jupyter .NET module.

“The evolution of the Jupyter infostealer/backdoor from after we first recognized it in 2020 proves the reality of the assertion that risk actors are all the time innovating,” Morphisec researcher Nadav Lorber mentioned. “That this assault continues to have low or no detections on VirusTotal additional signifies the ability with which risk actors evade detection-based options.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts