fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Jupyter Malware Steals Browser Data, Opens Backdoor

New Jupyter Malware Steals Browser Data, Opens Backdoor

Russian-speaking hackers have been using a new malware to steal information from their victims. Named Jupyter, the threat has kept a low profile and benefited from a fast development cycle.

While Jupyter’s purpose is to collect data from various software, the malicious code supporting its delivery can also be used to create a backdoor on an infected system.

Installer evades detection for 6 months

A variant of the malware emerged during an incident response engagement in October at a University in the U.S. But forensic data indicates that earlier versions have been developed since May.

Researchers at cybersecurity company Morphisec discovered that the developers of the attack kit were highly active, some components receiving more than nine updates in a single month.

The most recent version was created in early November but it does not include significant changes. The constant modification of the code, though, allows it to evade detection and enables Jupyter to collect more data from compromised systems.

Jupyter is .NET-based and focuses on stealing data from Chromium, Mozilla Firefox, and Google Chrome web browsers: cookies, credentials, certificates, autocomplete info.

Delivering the stealer starts with downloading an installer (Inno Setup executable) in a ZIP archive that poses as legitimate software. According to Morphisec, some of these installers went fully undetected on the VirusTotal scanning platform for the last six months.

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

Jupyter malware installer detection
source: Morphisec

The installer leverages the process hollowing technique to inject into the memory of a process a .NET loader acting as the client for the command and control server.

“The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module,” Morphisec explains.

In a later version of the installer, the developers switched from process hollowing to a PowerShell command to run in memory.

All these capabilities – the C2 client, downloading and executing malware, PowerShell scripts, and commands, and the process hollowing technique – enable the extended backdoor functions.

From what Morphisec observed, the initial installers that start the attack chain pose as Microsoft Word documents and use the following names:

  • The-Electoral-Process-Worksheet-Key.exe
  • Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe
  • Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe
  • Sample-Letter-For-Emergency-Travel-Document

Legit decoys, pentest toolkit

The installers runs legitimate tools like Docx2Rtf and Magix Photo Manager to create a diversion while dropping in the background two PowerShell scripts, one encoded and decoded by the other.

The latest versions of the initial installer also rely on the PoshC2 framework used in penetration testing to establish persistence on the machine by creating a shortcut LNK file and placing it in the startup folder.

PoshC2 code in Jupyter infostealer
source: Morphisec

Morphisec’s report covers technical details for the tools and scripts used in a Jupyter attack, tracing the evolution of the components and exposing their inner workings. Indicators of compromise are also available.

Russian links

The researchers say that many of the C2 Jupyter servers were located in Russia. A large number of them are currently inactive.

The link to Russian-speaking developers is stronger than this, though, as Morphisec noticed a typo that is consistent to the Jupyter name converted from Russian.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

Further evidence supporting this theory came after running a reverse image search for Jupyter’s administration panel, which showed a result on a Russian-language forum.

Jupyter infostealer admin panel
source: Morphisec

Morphisec says that the constant development of this infostealer translates into adding new elements that keeps it under the radar. Moreover, the developers extend the range of information targeted.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us