• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
iGuRu

iGuRu

Real-time Technology News. Opinions & Tweaks

  • / news
  • / infosec
  • / tools
  • / tweaks
  • / dummies
  • / opinions
  • / support
home / News / Jupyter malware steals browser data

Jupyter malware steals browser data

16/11/2020 11:31 by Anastasis Vasileiadis

Russian hackers are using new malware to steal information from their victims. Named Jupyter, the threat maintains a low profile and has benefited from a rapid growth cycle.

Screenshot 2020 11 16 New Jupyter malware steals browser data opens backdoor3 - Jupyter malware steals browser data

While the purpose of Jupyter is to collect data from various software, malicious code that supports its delivery can also be used to create a backdoor on an infected system.

A variant of the malware appeared during an attack on an incident at a US university in October. However, forensic data show that older versions have been developed since May.

Researchers at cybersecurity company Morphisec have found that the attack kit developers were very active, with some receiving more than nine updates in just one month.

The latest version was created in early November, but does not include significant changes. Constant modification of the code, however, allows it to avoid detection and allows Jupyter to collect more data from compromised systems.

Jupyter is based on .NET and focuses on stealing data from Chromium, Mozilla Firefox and Google Chrome web browsers: cookies, credentials, certificates, autocomplete information.

The "thief" process begins with downloading an installer (Inno Setup executable) to a ZIP file that appears as legitimate software. According to Morphisec, some of them have not been fully detected on the VirusTotal scanning platform for the past six months.

Screenshot 2020 11 16 New Jupyter malware steals browser data opens backdoor - Jupyter malware steals browser data

"Next, the client downloads the next step, a PowerShell command that runs the Jupyter .NET drive in memory," explains Morphisec.

In a newer version of the installer, the developers changed the process to a PowerShell command to run in memory.

Installers run legitimate tools such as Docx2Rtf and Magix Photo Manager to create a diversion, throwing in the background two PowerShell scripts, one encrypted and the other decoded.

The latest versions of the original installer are also based on the PoshC2 framework used in the penetration test to determine the persistence of the machine by creating an LNK shortcut file and placing it in the boot folder.

Screenshot 2020 11 16 New Jupyter malware steals browser data opens backdoor1 - Jupyter malware steals browser data

The Morphisec publication reports technical details about the tools and scripts used in a Jupyter attack, tracking the evolution of the elements and revealing their internal function.

Russian links

Researchers say many of the C2 Jupyter servers were located in Russia. A large number of them are currently inactive.

The connection with Russian developers, however, seems to be valid, as Morphisec noticed a typo mentioning the name Jupyter, which was changed from Russian.

Screenshot 2020 11 16 New Jupyter malware steals browser data opens backdoor2 - Jupyter malware steals browser data

Further evidence to support this theory came after a reverse image search of Jupyter, which showed a result in a Russian forum.

Jupyter malware steals browser data was last modified: 16 November, 2020, 11: 31 am by Anastasis Vasileiadis

Subscribe to our newsletter

no spam

spread the news

  • Facebook
  • Twitter
  • Reddit
  • Printing
  • Email

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News


Competition: Newstag: Jupyter, malware

You May Also Like

British Ministry of Education distributed notebooks with malware
ATMMalScan: Find malware on ATMs
Freki - Malware Analysis Platform

About Us Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Previous Post: « Open Source Community Orientation for free from the Linux Foundation
Next Post: Do not press the "Let's go!" in the Windows 10 Settings application »

Reader Interactions

Comment Policy:

IGuRu.gr does not publish the comments immediately. Malicious comments, comments that include ads, or comments that are offensive are deleted without notice. We do not adopt the opinions expressed by our readers.
Your comments will be displayed after approval by the administrators


Leave your comment
Ακύρωση απάντησης

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *

 

 © 2021 · iGuRu.gr · ☢ · Keep It Simple Stupid Genesis theme

about  ·   get in touch  ·  rss  ·  sitemap  ·  cough

loadingCancel
Could not post post - check your email address!
Email verification failed, please try again
Your blog can not post posts via email.