Evasive Jupyter Infostealer Campaign Showcases Dangerous Variant

Security researchers have spotted a recent increase in attacks involving a sophisticated new variant of Jupyter, an information stealer that has been targeting users of Chrome, Edge, and Firefox browsers since at least 2020.

The malware, also referred to as Yellow Cockatoo, Solarmarker, and Polazert, can backdoor machines and harvest a variety of credential information, including computer name, the user's admin privileges, cookies, Web data, browser password manager information, and other sensitive data from victim systems — such as logins for crypto-wallets and remote access apps.

A Persistent Data-Stealing Cyber Threat

Researchers from VMware's Carbon Black managed detection and response (MDR) service recently observed the new version of the malware leveraging PowerShell command modifications and legitimate-looking, digitally signed payloads, infecting a steadily rising number of systems since late October.

"The recent Jupyter infections utilize multiple certificates to sign their malware which, in turn, can allow trust to be granted to the malicious file, providing initial access to the victim’s machine," VMware said in its security blog this week. "These modifications seem to enhance [Jupyter's] evasion capabilities, allowing it to remain inconspicuous."

Morphisec and BlackBerry — two other vendors that have previously tracked Jupyter — have identified the malware as capable of functioning as a full-fledged backdoor. They have described its capabilities as including support for command and control (C2) communications, acting as a dropper and loader for other malware, hollowing shell code to evade detection, and executing PowerShell scripts and commands.

BlackBerry has reported observing Jupyter also targeting crypto-wallets, such as Ethereum Wallet, MyMonero Wallet, and Atomic Wallet, in addition to accessing OpenVPN, Remote Desktop Protocol, and other remote access applications.

The operators of the malware have used a variety of techniques to distribute the malware, including search engine redirects to malicious websites, drive-by downloads, phishing, and SEO poisoning — or maliciously manipulating search engine results to deliver malware.

Jupyter: Getting Around Malware Detection

In the most recent attacks, the threat actor behind Jupyter has been using valid certificates to digitally sign the malware so that it appears legitimate to malware detection tools. The files have names designed to try to trick users into opening them, with titles such as "An-employers-guide-to-group-health-continuation.exe" and "How-To-Make-Edits-On-A-Word-Document-Permanent.exe".

VMware researchers observed the malware making multiple network connections to its C2 server to decrypt the infostealer payload and load it into memory, almost immediately upon landing on a victim system.

"Targeting Chrome, Edge, and Firefox browsers, Jupyter infections use SEO poisoning and search engine redirects to encourage malicious file downloads that are the initial attack vector in the attack chain," according to VMware's report. "The malware has demonstrated credential harvesting and encrypted C2 communication capabilities used to exfiltrate sensitive data."

Jupyter's first- and second-stage payloads are noticeably different than the previous renditions first seen in September 2022, says Abe Schneider, threat analyst lead at Carbon Black in comments to Dark Reading. "New improvements to the infostealer include the use of an installer called InnoSetup, which is the first payload seen on the victim device," he says.

Schneider describes Innosetup as a free software tool that threat actors frequently use to install malicious files. As an example, he points to recent instances where attackers have used Innosetup to deliver Autodesk as a remote desktop app on victim devices.

With Jupyter, the Innosetup installer contains the second encrypted payload, Schneider says: "Once the second payload is decrypted via PowerShell, a backdoor is loaded into memory. This backdoor is then used to execute PowerShell and steal credentials from browsers, steal cryptocurrency wallets or load additional payloads into memory."

A Troubling Increase in Infostealers

Jupyter is among the top 10 most frequent infections that VMware has detected on client networks in recent years, according to the vendor. That is consistent with what others have reported about a sharp and concerning rise in the use of infostealers following the large-scale shift to remote work at many organizations after the COVID-19 pandemic began.

Red Canary, for instance, reported that infostealers such as RedLine, Racoon, and Vidar made its top 10 lists multiple times in 2022. Most often, the malware arrived as fake or poisoned installer files for legitimate software via malicious advertisements or through SEO manipulation. The company found attackers using the malware mainly to try to gather credentials from remote workers that enabled quick, persistent, and privileged access to enterprise networks and systems.

"No industry is immune to stealer malware and the spread of such malware is often opportunistic, usually through advertising and SEO manipulation," Red Canary researchers said.

Uptycs reported a similar and troubling increase in infostealer distribution earlier this year. Data that the company tracked showed the number of incidents in which an attacker deployed an infostealer more than doubling in the first quarter of 2023, compared to the same period last year. The security vendor found threat actors using the malware to steal usernames and passwords, browser information such as profiles and autofill information, credit card information, crypto-wallet info, and system information. Newer infostealers such as Rhadamanthys can also specifically steal logs from multifactor authentication applications, according to Uptycs. Logs containing the stolen data is then sold on criminal forums, where there is a heavy demand for it.

"Exfiltration of stolen data has a dangerous impact on organizations or individuals, as it can easily be sold on the dark web as an initial access point for other threat actors," Uptycs researchers warned.