Cybersecurity researchers have spotted a new version of the Jupyter, a .NET info stealer that continues to be highly mysterious.
- Cybersecurity researchers from Morphic discovered the new delivery chain on 8 September.
- The new Jupyter make it exceptional at defeating most endpoint security scanning solutions.
Cybersecurity researchers have spotted a new version of the Jupyter, a .NET info stealer that continues to be highly mysterious.
In November 2020, researchers at Morphisec had spotted Russian-speaking threat actors using a piece of .NET info stealer, tracked as Jupyter, to steal information from their victims.
The Jupyter malware can collect data from multiple applications, like Chromium-based browsers, Firefox, and Chrome, and can also establish a backdoor on the infected system.
“Jupyter is an info stealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality,” reads the analysis published by Morphisec.
“These include:
- a C2 client
- download and execute malware
- execution of PowerShell scripts and commands
- hollowing shellcode into legitimate windows configuration applications.”
The malware was frequently updated to avoid detection and comprise new information-stealing capabilities; the recent version was generated in early November.
In October, researchers spotted the info stealer during a routine response process, but as per the forensic data, earlier versions have been developed since May.
On 8 September 2021, the researchers observed a new delivery chain that could avoid detection by using an MSI payload that executes a legitimate installation binary of Nitro Pro 13.
The attacks start with deploying an MSI installer payload over 100MB in size, allowing them to bypass online AV scanners, and obfuscated using a third-party application ’All-in-one’ packaging wizard called Advanced Installer.
A PowerShell loader embedded within a legitimate binary of Nitro Pro 13 is executed upon executing the MSI payload.
“This loader is very similar to the previous Jupyter loaders in that it keeps a very evasive file with low to 0 detections on VirusTotal, which is rare for a full PowerShell loader (loader code with an embedded payload).” reads the analysis published by the experts.
“This attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions, " said Morphisec researcher Nadav Lorber.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?