A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.
Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher education establishment in the US. It’s thought the trojan has been active since May this year.
The attack primarily targets Chromium, Firefox, and Chrome browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware.
The Jupyter installer is disguised in a zipped file, often using Microsoft Word icons and file names that look like they need to be urgently opened, pertaining to important documents, travel details or a pay rise.
If the installer is run, it will install legitimate tools in an effort to hide the real purpose of the installation – downloading and running a malicious installer into temporary folders in the background.
Once fully installed on the system Jupyter steals information including usernames, passwords, autocompletes, browsing history and cookies and sends them to a command and control server. Analysis of the malware showed that whoever created it constantly changes the code to collect more information while also making it harder for victims to detect.
It isn’t clear what the exact motive for stealing the information is, but cyber criminals could use it to gain additional access to networks for further attacks – and potentially stealing highly sensitive data – or they could sell login credentials and backdoor access to systems to other criminals who access.
The researchers believe that Jupyter originates from Russia. Not only did analysis of the malware reveal that it linked to command and control servers in Russia, but reverse image searching of the planet Jupiter in infostealer’s admin panel revealed the original to come from a Russian-language forum. This image is also spelled Jupyter, likely a Russian to English misspelling of the planet’s name.
While many of the command servers are now inactive, the admin panel is still live, suggesting that Jupyter campaigns may not be finished yet.