A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself.
The malware, named Jupyter by its finders at Israeli security firm Morphisec, has been active since at least May 2020, but it escaped detection by most antivirus software until last week; partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a system's hard drive. Unfortunately, rebooting the machine doesn't get rid of the malware because it adds its setup routine to the Startup folder to reinstall itself when the machine boots.
Unlike many information stealers, Jupyter also has the ability to download and run additional software and creates a backdoor by which its operators, thought to be Russian cybercriminals can remotely seize control of a Windows machine. (The name comes from an image of the planet, with the file name misspelled, used as the background of the malware's administrative panel.)
Jupyter arrives in the form of an email attachment purporting to be a Microsoft Word or Excel document regarding routine workplace or academic matters, but the attachment is really a program of its own which opens a Windows PowerShell script that triggers a complex series of events that ends up installing at least two different information-stealing functions in system memory. PowerShell infection techniques have been used by many malware and ransomware groups.
One function collects information about the infected machine; the other steals passwords, login session cookies, autocomplete items and digital certificates from Chrome or Firefox. Session cookies are what keep you logged into an online service, such as Facebook or Twitter, semi-permanently until you actively log out. Many such cookies are valid for months or even year, and would give anyone who stole them access to your account if you were still logged in using the same cookie.
How to avoid Jupyter infection: Most antivirus programs detect at least one of the dozen or so Jupyter components unearthed by Morphisec. You can also give Jupyter little to steal if you do not let your browser save your passwords and by logging out of online accounts when you have finished using them for the day. Adopting good cyber hygiene, you should scan email attachments with your antivirus program before opening them. But since many of the malware's core functions depend on using administrative-level Windows tools, another way to avoid infection would be to conduct most of your daily Windows work in a limited user account that does not have administration rights. This is an old-school technique, be a user on your computer, not the administrator, you can always log-in as one as needed.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: