Jupyter..More than a planet . An infostealer

Researchers have discovered a new info stealer written in .NET called Jupyter which targets notable web browsers such as Mozilla Firefox and Google Chrome in addition to the Chromium code in itself.

This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers.

This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection.

The features of the malware include the ability to download and run malware plus Powershell scripts and commands while also injecting shellcode into different applications that relate to Windows Configuration.

The downloaded file that is run appears to be a Zip file with an installer that shows itself as another legitimate piece of software while in actuality is not. The alarming thing here is that this file according to the researchers has maintained a 0% detection rate in VirusTotal for over 6 months making us wonder how many systems it may have had infected by now.

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module.

Origin belived it to be Russia , since C2C server pointing over there. Also admin panel image has been reverse searched and has the Russian match .

To conclude, this trend is nothing new in itself because researchers have constantly observed new variants of existing malware types being developed and even going unnoticed. Such research reports are a relief in the face of such calamities helping the cybersecurity community mend their blind spots.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s