Jupyter..More than a planet . An infostealer

Researchers have discovered a new info stealer written in .NET called Jupyter which targets notable web browsers such as Mozilla Firefox and Google Chrome in addition to the Chromium code in itself.

This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers.

This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection.

The features of the malware include the ability to download and run malware plus Powershell scripts and commands while also injecting shellcode into different applications that relate to Windows Configuration.

The downloaded file that is run appears to be a Zip file with an installer that shows itself as another legitimate piece of software while in actuality is not. The alarming thing here is that this file according to the researchers has maintained a 0% detection rate in VirusTotal for over 6 months making us wonder how many systems it may have had infected by now.

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module.

Origin belived it to be Russia , since C2C server pointing over there. Also admin panel image has been reverse searched and has the Russian match .

To conclude, this trend is nothing new in itself because researchers have constantly observed new variants of existing malware types being developed and even going unnoticed. Such research reports are a relief in the face of such calamities helping the cybersecurity community mend their blind spots.

Modpipe threatens POS

A new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices dubbed as Modpipe.

The backdoor has a specialised modules with algorithm to read database passwords by decrypting from registry values

Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

The actor behind the attacks could be in possession of a second downloadable module to decrypt the contents of the database.

New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

The ModPipe infrastructure consists of an initial dropper that’s used to install a persistent loader, which then unpacks and loads the next-stage payload — the main malware module that’s used to establish communications with other “downloadable” modules and the command-and-control (C2) server via a standalone networking module.

The downloadable modules include “GetMicInfo,” a component that can intercept and decrypt database passwords using a special algorithm, that could have reverse engineering technique

A second module called “ModScan 2.20” is devoted to collecting additional information about the installed POS system while another module by the name of “Proclist” gathers details about currently running processes.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers said. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.” advised to update the OS on 3700 running system

Wroba (☣️)Mobile Trojan

Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.

Android device users who click on a link in the notification are taken to a malicious site with an alert that warns users about their mobile browser being out of date and needing to be updated. Users tricked into clicking “OK” to download the purported browser update end up installing the malware on their device instead.

The download does not work on iPhones. So, users of iPhones who fall for the fake package-delivery notification are instead sent to a phishing page designed to look like Apple’s login page, which attempts to steal their Apple ID credentials.

Once Wroba is installed on a device, it can carry out a variety of malicious activities, according to Kaspersky. This includes sending fake SMS messages, checking installed packages, accessing financial transaction data, stealing the user’s contact list, and serving up phishing pages for stealing credentials, including those associated with bank accounts.

Wroba is not unlike other mobile malware — like its distribution via SMS. “But it utilizes some unusual techniques to hide its communication with its command-and-control [C2] server, like using MessagePack format and DES encryption to send the data.”

Wroba also has the ability to update its list of C2 servers with the help of information in social media accounts. The C2 information, for example, might be stored in encrypted form in the “Bio” or similar field in a social media account, Eremin says.

Kaspersky has described Wroba as being part of a broader mobile malware campaign called “Roaming Mantis.” Earlier versions of the malware were distributed via DNS hijacking. The operators of the malware basically hijacked DNS settings on home routers and redirected users of those routers to malicious sites.

The latest Wroba campaign is another sign of the growing threat that mobile users and organizations face from malware, adware, and other unwanted software on smartphones and other mobile devices. Thirty-nine percent of more than 875 mobile security professionals surveyed for the 2020 edition of Verizon’s Mobile Security Index said their organizations had experienced a security compromise involving a mobile device in the past year. Two years ago, only 27% reported such a breach. Two-thirds of those who experienced a mobile-related breach described the impact as major.