Recent security research has detected a surge in cyberattacks involving a sophisticated new version of Jupyter, a data-stealing malware that has been targeting users of popular web browsers like Chrome, Edge, and Firefox since at least 2020.
This malicious software, also known by names such as Yellow Cockatoo, Solarmarker, and Polazert, is capable of infiltrating computers and extracting a range of sensitive information. It can harvest data like computer names, user admin privileges, cookies, web data, browser passwords, and even valuable details such as cryptocurrency wallet logins and remote access application credentials.
A Persistent and Evolving Cyber Threat
Experts from VMware’s Carbon Black managed detection and response (MDR) service have recently observed this new variant of Jupyter, which has been infecting an increasing number of systems since late October. This version of the malware uses PowerShell command modifications and digitally signed payloads to remain undetected. The use of multiple certificates to sign the malware enhances its ability to avoid detection and gain access to victims’ computers.
Morphisec and BlackBerry, two other cybersecurity companies that have previously tracked Jupyter, have identified it as a full-fledged backdoor with various capabilities. These include supporting command and control (C2) communications, serving as a dropper and loader for other malware, evading detection by hollowing shell code, and executing PowerShell scripts and commands. BlackBerry has also observed Jupyter targeting cryptocurrency wallets and remote access applications like OpenVPN and Remote Desktop Protocol.
The operators behind Jupyter have employed multiple techniques to distribute the malware, including search engine redirects to malicious websites, drive-by downloads, phishing attacks, and SEO poisoning, which manipulates search engine results to deliver malware.
Jupyter’s Elusive Nature
In the most recent attacks, the threat actors have gone to great lengths to make Jupyter appear legitimate to malware detection tools. They use valid certificates to digitally sign the malware, and the files have deceptive names, such as “An-employers-guide-to-group-health-continuation.exe” and “How-To-Make-Edits-On-A-Word-Document-Permanent.exe,” in an attempt to trick users into opening them. Once on a victim’s system, the malware rapidly establishes multiple network connections to its command and control (C2) server, decrypting the infostealer payload and loading it into memory.
Jupyter primarily targets Chrome, Edge, and Firefox browsers, using techniques like SEO poisoning and search engine redirects to encourage malicious file downloads as the initial attack vector. The malware is known for its credential harvesting and encrypted C2 communication capabilities, which it employs to extract sensitive data.
Notable Improvements and Techniques
The latest version of Jupyter exhibits significant differences in its first- and second-stage payloads compared to earlier iterations. This new variant employs an installer called InnoSetup as its initial payload. Abe Schneider, a threat analyst lead at Carbon Black, explains that InnoSetup is a free tool frequently utilized by threat actors to install malicious files. In Jupyter’s case, this installer contains the second encrypted payload, which, when decrypted via PowerShell, loads a backdoor into memory. This backdoor is then used to execute PowerShell commands, steal browser credentials, pilfer cryptocurrency wallets, or load additional payloads into memory.
Troubling Rise in Data-Stealing Malware
Jupyter has emerged as one of the most common threats detected on client networks by VMware in recent years. This trend aligns with what others have observed regarding the increasing use of data-stealing malware, often called infostealers. The surge in these threats can be attributed to the widespread shift to remote work in the wake of the COVID-19 pandemic.
For example, Red Canary identified infostealers like RedLine, Racoon, and Vidar appearing frequently on their top 10 lists throughout 2022. In most cases, these malicious programs disguised themselves as fake or tampered installer files for legitimate software. They were typically distributed via deceptive advertisements or by manipulating search engine results. Attackers primarily utilized these infostealers to collect login credentials from remote workers, enabling them to gain swift, persistent, and privileged access to organizational networks and systems.
Red Canary researchers pointed out that no industry is immune to infostealer malware, and its spread is often opportunistic, facilitated through advertising and search engine manipulation.
Uptycs also noted a worrisome uptick in the distribution of infostealers earlier this year. Their data revealed a substantial increase in incidents where attackers deployed infostealers, with the number more than doubling in the first quarter of 2023 compared to the same period in the previous year. These malicious tools were used to pilfer a variety of sensitive information, including usernames, passwords, browser data like profiles and autofill information, credit card details, cryptocurrency wallet information, and system data. Newer infostealers like Rhadamanthys were even capable of stealing logs from multifactor authentication applications. The stolen data logs were often sold on illicit forums, where there was significant demand for such information.
The exfiltration of stolen data can have severe consequences for both organizations and individuals, as it serves as an entry point for other malicious actors. Uptycs researchers cautioned about the dangers associated with this data theft.