![]() Each step facilitates a specific goal, function, or ability. Jupyter’s core PowerShell typically can be broken down into six different steps or components, as shown in Figure 4 and the table below. These can either be visited by a victim unintentionally, or via a link in a malicious email.įigure 4: Breakdown of Jupyter PowerShell These sites typically offer a free download for a PDF book or a simple application. Typically, Jupyter is hosted on fake downloader websites that masquerade as legitimate hosts. Jupyter’s initial infection vector can vary widely. The malware has since abandoned the Indicators of Compromise (IoCs) that were the basis of these naming conventions, to thwart easy identification. Previous names include Polazert, Yellow Cockatoo, and more recently SolarMarker/ Deimos. This flexibility has led various security research organizations to label the malware family differently, based on Jupyter’s core module naming functions, or downloaded components. MSI, and it uses different operations to execute its obfuscated PowerShell script. The malware has also changed its core file extension to. Over a short period of time, Jupyter has masqueraded as many different applications and installers. However, deep within the code of these Trojan installers resides a relatively small, heavily obfuscated and encrypted PowerShell script that will run in the background. On installation, the package will load and attempt to install the bundled legitimate application. These packages are still bundled with legitimate applications, and also signed with valid digital certificates to further hide their intentions. In its current form, Jupyter now tends to be bundled in large Windows ® installer packages (.MSI), often exceeding 100 MB in size. Throughout 2021, this threat group has focused its development efforts on increasing levels of stealth and obfuscation, including loading the Dynamic-Link Library (.DLL) of Jupyter reflectively into memory rather than writing the file to disk. When executed, it revealed an obfuscated PowerShell script hidden within. When Jupyter was first discovered at the end of 2020, it initially bundled itself with legitimate executables. It targets all victims who inadvertently fall for its ploys. ![]() This malware is particularly noxious, as it does not target specific organizations or business verticals, and it does not have a set goal or agenda. It also targets a large number of crypto wallets, including Atomic Wallet, MyMonero Wallet, and Ethereum Wallet, and additionally seeks to access several Remote Access Applications including OpenVPN and Remote Desktop Protocol (RDP). Upon finding one of these browsers installed, it gathers and exfiltrates sensitive user data stored within these browsers, such as login data (usernames and passwords), cookies, and web data, including “autofill” information such as the user’s name, home address, and email address. ![]() It also targets popular browsers such as Google Chrome™, Microsoft Edge®, Opera, Brave, and Mozilla Firefox. ![]() One of the downloads is an information stealing module, designed to scoop up victim credentials like their computer name, user admin rights, workgroup, browser password database, and other useful information. These components can include executables and malicious PowerShell scripts. Once executed, it can receive further malicious components via its command-and control (C2) server to enhance its capabilities. Jupyter infostealer is a master of deception, a highly modular malware that hides deep within legitimate installer packages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |