The cybersecurity company Morphisec has discovered Jupyter infostealer on the network of an unnamed higher education establishment in the US. A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems. The trojan has the capability to target Chromium, Firefox, and Chrome browser data but also can open a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware.
Jupyter is an excellent example of the issues that can arise when end users install software from untrustworthy sources. In some instances, end users searched Google for templates or types of documents before getting led to malicious downloads. Jupyter uses legitimate tools like Inno Setup–which is free and widely used for software packaging and installation on Windows–to facilitate deployment
In every case of Jupyter we’ve seen, there has been a liberal amount of PowerShell use and this presents the best point of detection forJupyter. A lot of defense evasion happens here, because the malware binary itself is obfuscated while at rest on disk. During malware execution, PowerShell reads the obfuscated malware into memory, deobfuscates it, and loads the malware for execution.
Security teams should monitor for evidence of Powershell execution by Jupyter. If evidence is present, be mindful of PowerShell instances within your organization\’s network that use `frombase64string` and `[System.Reflection.Assembly]::Load` code in their command lines.
Jupyter infostealer is just the latest in an ongoing series of new malware attacks by the bad actors of the world.
The new malware strain underscores the need for companies to keep their systems, apps, and browsers updated to the latest version, in order to guard against malware infections.
Employee training is another important factor in the fight against malware, as employees and executives need to be trained on the dangers of opening attachments or links in emails and messages.
Once more, individuals are being tested on their attention to detail. This time, users are having to spot malware disguised as documents. Using the file icon and a name that suggests urgency (e.g a pay raise, travel details, etc.), the user might be compelled to open the document just to read what is written. Even though the malware has a file icon, it is still executable with the file type exe. However, if you are hiding file extensions you might not even see this little scam. The malware is an information-stealing trojan, taking data from your Chromium, Firefox or Chrome browsers. In addition, it is a C2 client that can execute PowerShell scripts and install further malware. Therefore, be careful when opening any documents. A word of advice: it is better to stop and think twice before you act.