Posted on September 28, 2021 at 8:18 AM
Hackers Upgrade Jupyter Malware to launch more Sophisticated Attacks
Hacking attacks on healthcare institutions have been on the rise, and this has been attributed to threat actors developing new and complex hacking tools. One of the recent sophisticated tools that have hit the market is the new version of the Jupyter malware.
The Jupyter malware is a well-known hacking tool. It functions as a .NET software that steals information from various devices. This malware is commonly used to target the education and healthcare sectors. The malware has been well-developed by threat actors to enhance it so that it can penetrate even the most advanced security systems.
Improved Version on Jupyter Malware
The new, improved software was spotted in operation by Morphisec on September 8. The discovery of this malware has shown that it has not gone inactive as many have assumed, but rather, it has been configured by threat actors to become more efficient in handling attacks and more stealth.
The report also shows that the malware has continued to be used to launch attacks. Morphisec, an Israeli cybersecurity company, has stated that it is launching more investigations into these attacks conducted using the malware.
The Jupyter malware, which is also known as the Solarmaker, was first discovered in November 2020. Further analysis into Jupyter shows that it most likely originated from Russia.
The malware is built to target the most common browsers such as Chrome, Chromium, and Firefox to access data from these browsers. The malware is sophisticated in its design, as it also has full backdoor functionality. This allows it to steal and copy sensitive details from targeted devices. Through the backdoor functionality, the malware can also upload the stolen data into a remote server. The data can later be downloaded and be used to execute further payloads.
The analysis from Morphisec shows that the Jupyter malware has evolved, and it now carries sophisticated features. Morphisec first spotted different versions of the malware in May 2020.
In August 2021, Cisco Talos issued a report on the malware, stating that the attacks were attributed to a “fairly sophisticated actor largely focused in credential and residual information theft.” This shows that the malware can gain backdoor access to devices and steal sensitive information that can later be used to launch further attacks.
In February this year, CrowdStrike, a renowned cybersecurity firm, stated that the malware used to conduct attacks contained a PowerShell loader that has been heavily obfuscated. This allowed the malware to execute and .NET compiled backdoor that can be used to access user details stealthily.
How it Works
The research has also looked into how this malware works and how it executes attacks. Previous attacks using the malware implemented legitimate binaries of renowned software such as Docx2Rtf and Expert PDF. However, forensics into this new malware shows that it now incorporates a new PDF application dubbed Nitro Pro.
The deployment of the attack is also complex and includes a lengthy but well-detailed process. The first stage of the attack involves the deployment of the MSU installer payload. This payload comes in a size of more than 100MB.
The MSI installer payload is used to help the threat actors bypass detection by anti-malware software. The malware is also hidden by Advanced Installer, a third-party application packaging wizard.
After running the MSI payload, the PowerShell loader is executed. The PowerShell loader is contained within the legitimate binary feature of Nitro Pro 13. A look into these two variants shows that they carry a legitimate certificate that belongs to a valid business operating in Poland. This shows that in developing the malware, the threat actors impersonated the certificate details of the business or stole the data.
This attack’s last and final stage is when the loader decodes the information and executes the in-memory Jupyter .NET module. After this final stage, a user’s device will be vulnerable to phishing attacks, and their details could be stolen by hackers with ill intentions, such as selling them on the dark web or for ransomware.
Nadav Lorber, a researcher with Morphisec, stated that “The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating. That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions.”
Given the target group of the Jupyter malware, which is mostly healthcare and education institutions, it is paramount for organizations to invest in advanced cybersecurity systems that will protect sensitive information from being accessed by sophisticated malware created to avoid detection.