Dangerous Variant Displayed in Evasive Jupyter Infostealer Campaign

A rising tide of cyber attacks has seen a surge in the use of a refined version of the Jupyter malware, a pernicious information stealer known for targeting Chrome, Edge, and Firefox users. Dubbed Yellow Cockatoo, Solarmarker, and Polazert in various circles, this malware has been notorious since 2020 for backdooring machines and siphoning off an array of sensitive data from compromised systems, notably credentials for crypto-wallets and remote access tools.

This Continual Cyber Threat

Recently, VMware's Carbon Black MDR team noticed an uptick in systems compromised by an updated strain of Jupyter, which is adept at dodging detection through the use of altered PowerShell commands and convincingly legitimate, digitally signed payloads. These alterations have propelled its stealth capabilities, helping it fly under the radar while infiltrating an increasing number of systems since the latter part of October.

Jupyter's Stealth Tactics

Both Morphisec and BlackBerry, cybersecurity firms that have previously tracked Jupyter's movements, have recognized its capability to operate as a comprehensive backdoor. Its toolkit includes command and control (C2) communication, functioning as a dropper and loader for additional malware, evading detection by hollowing shell code, and executing PowerShell scripts and commands. BlackBerry's analysis highlighted Jupyter's targeting of specific crypto-wallets and remote access apps like OpenVPN and Remote Desktop Protocol.

The malware is distributed via various tactics like search engine manipulation, drive-by downloads, phishing, and SEO poisoning. These methods are crafted to redirect unsuspecting users to malicious downloads.

Evading Malware Detection

The latest Jupyter campaign involves malware that's digitally signed with valid certificates, creating a facade of legitimacy that deceives malware detection systems. The malware lures victims with deceptive file names like "An-employers-guide-to-group-health-continuation.exe" and "How-To-Make-Edits-On-A-Word-Document-Permanent.exe".

Upon infection, VMware observed the malware initiating numerous network connections to its C2 server to decrypt the infostealer payload and inject it directly into the system's memory.

The Rise of Infostealers

Jupyter is increasingly prevalent, ranking as one of the top 10 infections on client networks, per VMware's data. This mirrors the broader trend of infostealers' rise following the COVID-19 pandemic, as reported by Red Canary. These infostealers, including RedLine, Racoon, and Vidar, often infiltrate systems through misleading installers for legitimate software, arriving via corrupted advertisements or search engine result manipulation. Their primary goal is to harvest credentials, especially those that provide direct, durable, and elevated access to corporate networks.

Uptycs has also documented a significant jump in infostealer activity, with instances more than doubling in early 2023 compared to the prior year. Modern infostealers, like Rhadamanthys, have even evolved to specifically target logs from multifactor authentication applications. The stolen data often finds its way onto dark web marketplaces, serving as an entry point for further malicious activities.

The dissemination of stolen data poses a serious threat to organizations and individuals alike, potentially becoming a commodity on the dark web for other nefarious actors to exploit as an initial access broker.