Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer identified for singling out healthcare and training sectors, which make it distinctive at defeating most endpoint safety scanning options.
The brand new supply chain, noticed by Morphisec on September 8, underscores that the malware has not simply continued to stay energetic but additionally showcases “how menace actors proceed to develop their assaults to grow to be extra environment friendly and evasive.” The Israeli firm mentioned it is presently investigating the dimensions and scope of the assaults.
First documented in November 2020, Jupyter (aka Solarmarker) is probably going Russian in origin and primarily targets Chromium, Firefox, and Chrome browser knowledge, with extra capabilities that enable for full backdoor performance, together with options to siphon info and add the main points to a distant server and obtain and execute additional payloads. Forensic proof gathered by Morphisec exhibits that a number of variations of Jupyter started rising beginning Might 2020.
In August 2021, Cisco Talos attributed the intrusions to a “pretty refined actor largely targeted on credential and residual info theft.” Cybersecurity agency CrowdStrike, earlier this February, described the malware as packing a multi-stage, closely obfuscated PowerShell loader, which ends up in the execution of a .NET compiled backdoor.
Whereas earlier assaults integrated reliable binaries of well-known software program reminiscent of Docx2Rtf and Professional PDF, the most recent supply chain places to make use of one other PDF utility known as Nitro Professional. The assaults begin with a deployment of an MSI installer payload that is over 100MB in dimension, permitting them to bypass anti-malware engines, and obfuscated utilizing a third-party utility packaging wizard known as Superior Installer.
Operating the MSI payload results in the execution of a PowerShell loader embedded inside a reliable binary of Nitro Professional 13, two variants of which have been noticed signed with a legitimate certificates belonging to an precise enterprise in Poland, suggesting a potential certificates impersonation or theft. The loader, within the final-stage, decodes and runs the in-memory Jupyter .NET module.
“The evolution of the Jupyter infostealer/backdoor from after we first recognized it in 2020 proves the reality of the assertion that menace actors are at all times innovating,” Morphisec researcher Nadav Lorber mentioned. “That this assault continues to have low or no detections on VirusTotal additional signifies the power with which menace actors evade detection-based options.”