In 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets Chromium, Firefox, and Chrome browser data while retaining the added capabilities of a backdoor.
Since then, Jupyter has remained active and very evasive. It continued to receive very weak to zero detections in the VirusTotal database, maintaining the ability to bypass detection solutions.
Then, on September 8, 2021, we identified a new delivery chain within Jupyter that is going under the radar of security solutions. Following this discovery, the Morphisec Labs team was made aware of several high-level targets threatened by the Jupyter infostealer. We are currently studying the scope of the campaign.
The following blog post describes the new distribution chain, showing how threat actors continue to scale up their attacks to become more effective and evasive.
Figure 1: The attack flow of the new Jupyter infostealer
In this section, we’ll take a brief look at some of the payload’s shared attributes so that we get an overview of what metrics to expect. This is based on the four variants that we have observed.
Payload size and name
Like previous Jupyter payloads, MSI payloads are consistently larger than 100MB in size. This allows the payload to thwart inline AV scanners.
The payload naming convention is:
- Potential document topics
- Words are separated by a dash ‘-‘
- Each word begins with a capital letter
Examples can be found in the IOC section under the title “MSI Payload Names”.
MSI third-party installation wizard
The payloads were generated with a trial version of Advanced installer (version 18.6.1 build 2c9a75c6).
As described on their website, the Advanced Installation Wizard is an “all-in-one” application packaging tool. By using this tool, threat actors have access to easy implementation of obscured script executions.
The attribution can be found either in the properties of the file (OLE Compound) or in the properties table of the installer.
Figure 2: OLE Compound File Information
Figure 3: Properties table
Decoy installation executable
As shown in Figure 1 above, all observed variants are described as Nitro Pro 13. Once the victim runs the MSI payload, they run a legitimate installation binary of Nitro Pro 13. The correlation of this attribution with the variant filenames suggests that the delivery method disguises it as PDF.
Figure 4: Installing Nitro Pro 13
While all of the variants are described as Nitro, one of them actually contains SumatraPDF instead of.
Figure 5: Installing Sumatra PDF
Two of the variants are signed with a (currently) valid certificate named ‘SP ZOO TACHOPARTS‘.
Figure 6: Tachoparts certificate
Based on the following certificate data, we can assume that the threat author has impersonated the certificate or stole it from a legitimate company in Poland.
Figure 7: Tachoparts commercial information from Google
Another variant was signed with a revoked certificate named ‘OOO system‘.
Figure 8: OOO Sistema certificate
As with the previous certificate, this one also correlates to a legitimate business. It was also likely an identity theft or theft in the company.
Figure 9: Google OOO Sistema commercial information
The initial suspect flag visible in dynamic analysis is the PowerShell command line generated by msiexec.exe.
C: WindowsSysWOW64WindowsPowerShellv1.0powershell.exe -NoProfile -Not interactive
Code block 1: CMD Shell command line
This command line is generated by a feature in the Advanced installer which is designed for run PowerShell loader as “CustomAction” attribute defined in MSI installers.
The file names in the settings differ between the variants but keep the same pattern. For example in ‘scrEA14.ps1‘, EA14 is represented by four hexadecimal characters. These four characters are different between payload variants.
Figure 9: PowerShell loader integrated into CustomAction in AdvancedInstaller
Jupyter PowerShell Charger
The PowerShell file in the – Script file The parameter shown in code block 1 represents the Jupyter PowerShell loader.
This loader is very similar to previous Jupyter loaders in that it keeps a very elusive file with low detections to 0 on VirusTotal, which is rare for a full PowerShell loader (loader code with a built-in payload).
While Jupyter chargers are covered extensively in our blog and others, the new variant shares the same code pattern. The following code block is an example of an unobtrusive and embellished version of it:
$ b64_enc_payload = ‘deduced’;
$ random_path_str = jeiJBgXRTuVfsm;
Code block 2: Jupyter PowerShell charger unclogged
Note that like previous versions, this one also reflexively loads a DLL that initializes execution under the Deimos namespace in the Mars class (Mars.Deimos).
The payload of the .NET DLL
In our previous blog, we attributed the payloads to their internal version. The following table correlates the observed internal version and the earliest submission date of the MSI payload to the detections on VirusTotal.
Internal version of the Jupyter DLL
VirusTotal first submission
September 08, 2021
September 08, 2021
2/57 Malicious detections
September 10, 2021
September 13, 2021
Although all .NET DLL payloads should be hidden, it appears that the SP-10 variant contains source code strings. The following figure shows the payload methods and class names.
The evolution of the Jupyter infostealer / backdoor since we first identified it in 2020 proves the truth of the claim that threat actors are always innovating. The fact that this attack continues to have little or no detections on VirusTotal further indicates the ease with which threat actors evade detection-based solutions. It is clear that a new approach is needed for threat prevention, as it is likely that these evasive attacks will continue.
This is why Morphisec has designed its solutions to focus on deterministic prevention of evasive attacks rather than detection. Customers who operate the Morphisec breach prevention platform on their endpoints, on-premise servers, and in the cloud can rest assured that they are protected against evasive threats such as the Jupyter infostealer, regardless of detection rate. in VirusTotal.
MSI payload hashes
AdvancedInstall PowerShell Hash
Jupyter PowerShell Loader Hashes
MSI payload names