MSI Installers Being Used to Distribute a New Version of Jupyter Malware

MSI Installers Being Used to Distribute a New Version of Jupyter Malware

Jupyter, a.NET infostealer notorious for singling out the healthcare and education sectors, has evolved, making it pretty good at evading most endpoint security scanning solutions.

Israeli cybersecurity company Morphisec discovered the new distribution chain involving MSI installers on September 8 and pointed out that the virus has remained active, and that threat actors have been modifying their attacks to become more efficient and elusive. The extent and scope of the attacks are now being investigated by the Israeli company.

Jupyter (also known as Solarmarker) was first discovered in November 2020. It mainly targets Chromium, Firefox, and Chrome browser data, with additional features that allow for full backdoor functionality. According to data sources, multiple versions of Jupyter began appearing in May 2020.

In February this year, CrowdStrike identified the malware as having a multi-stage, extensively obfuscated PowerShell loader that executes a.NET built backdoor.

While earlier attacks used genuine binaries of well-known applications like Docx2Rtf and Expert PDF, the new distribution chain used Nitro Pro, a PDF application.

The attack campaigns begin with distributing a large MSI installer payload that may evade anti-malware engines and is disguised using Advanced Installer, a third-party program packaging wizard.

“Once the victim runs the MSI payload, it executes a legitimate installation binary of Nitro Pro 13. Correlating this attribution with the variant’s file names suggests that the delivery method disguises it as a PDF. While all of the variants are described as Nitro, one of them actually contains SumatraPDF instead,” wrote Morphisec.

Processing the MSI payload triggers implementing a PowerShell loader contained within a genuine Nitro Pro 13 binary. Two variations were signed with a valid certificate of a Poland-based authenticate company, implying certificate impersonation or theft. At the final stage, the loader decodes and runs the in-memory Jupyter.NET module.

The development of the Jupyter infostealer/backdoor since 2020 illustrates the veracity of the assertion that threat actors are constantly inventing. The fact that this attack continues to receive few or no detections on VirusTotal demonstrates the ease with which threat actors can elude detection-based solutions.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.