[MART] - Daily Diary #356 - Jupyter Info Stealer Delivered Through MSI Installers

CTAS-MAT ctas-mat at appgate.com
Mon Sep 27 20:55:54 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

09/27/2021 - Diary entry #356:

Jupyter, aka Solarmarker, is an info stealer malware discovered in 2020. It has backdoor capabilities and targets the browsers Chromium, Chrome, and Firefox to steal data from web pages. Recently, a new Jupyter campaign has been spotted with a very low detection rate among anti-malware engines. The attack chain starts with an MSI (Microsoft Installer) downloader that executes a PowerShell payload, then this payload executes Jupyter's final payload, written in .NET.

The downloader is built with a software named Advanced Installer, an application packaging tool to generate MSI installers. Once the victim runs Jupyter's MSI downloader, it first executes a legitimate installation of Nitro Pro 13, a PDF editor software. Next, it executes a PowerShell script, responsible for loading the embedded final payload.

Jupyter is not the first to adopt this technique. The Advanced Installer software has been largely used by Brazilian Banker RAT downloaders due to its capability to implement obfuscated scripts and DLL side-loading execution within the installer. The result is an installer usually disguised as a legitimate software setup, with a multi-staged execution flow, great to evade and bypass anti-malware protections.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210927/c94669cc/attachment.htm>

More information about the MART mailing list