A stealthy new Windows Trojan named Jupyter was discovered stealing usernames and passwords. Read on to know more about it…
A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. Jupyter trojan, the malware that targets businesses and higher education to steal usernames, passwords, and other private information, is active again.
The malware dubbed Jupyter by its finders at Israeli security firm Morphisec has been active since at least May 2020, but it escaped detection by most antivirus software until last week. Recently, it has been observed targeting a higher education establishment in the U.S.
New Jupyter Trojan
The trojan has been active since May and targets popular web browsers such as Chromium, Firefox, and Chrome browser data. This trojan creates a persistent backdoor in compromised systems. It allows attackers to execute PowerShell scripts and commands, along with the ability to execute and download new malware.
The trojan originates from Russia and is linked to C2 servers located in the same region. In addition, reverse image searching of the planet Jupiter in the info stealers admin panel exposed origins from a Russian-language forum. The motive of the cybercriminals behind this trojan could be stealing highly sensitive data or selling login credentials to other cybercriminals.
“Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020,” state a Morphisec blog post and the full Morphisec report. “While many of the C2s [malware command-and-control servers] are no longer active, they consistently mapped to Russia when we were able to identify them.”
Working Mechanism
The trojan installer is hidden in a zipped file. It uses Microsoft Word icons and file names, pretending to be important documents, travel details, or pay rise. If the installer is executed, it will install genuine tools to hide the real goal of the installation, which is running a malicious installer in temporary folders in the background. After being installed on the system, it steals information such as passwords, usernames, cookies, autocompletes, and browsing history. It then sends the stolen data to a command and control server.
Jupyter is a unique malware — that’s because unlike most malware, it runs mostly in memory and leaves very little trace on a system’s hard drive. Unfortunately, rebooting the machine doesn’t get rid of the malware because it adds its setup routine to the Startup folder to reinstall itself when the machine boots.
Unlike many information stealers, Jupyter also has the ability to download and run additional software and creates a backdoor by which its operators — thought to be Russian cybercriminals — can remotely seize control of a Windows machine. (The name comes from an image of the planet, with the file name misspelled, used as the background of the malware’s administrative panel.)
Conclusion
The campaign is ongoing, therefore, organizations need to be aware and prepared to face such threats. Experts suggest using a reliable anti-malware solution, encrypting important information, blocking spam emails using email gateways, and providing training to employees to spot malicious emails.