An updated version of an information stealer malware known as Jupyter has resurfaced with “simple yet impactful changes” that aim to stealthily establish a persistent foothold on compromised systems.
“The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file,” VMware Carbon Black researchers said in a report shared with The Hacker News.
Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites.
It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands.
The latest set of artifacts uses various certificates to sign the malware to lend them a veneer of legitimacy, only for the fake installers to activate the infection chain upon launch.
The installers are designed to invoke an interim payload that, in turn, employs PowerShell to connect to a remote server and ultimately decode and launch the stealer malware.
The development comes as stealer malware offered for sale on the cybercrime underground continues to evolve with new tactics and techniques, effectively lowering the barrier to entry for lesser-skilled actors.
This includes an update to Lumma Stealer, which now incorporates a loader and the ability to randomly generate a build for improved obfuscation.
“This takes the malware from being a stealer type to a more devious malware that can load second-stage attacks on its victims,” VMware said. “The loader provides a way for the threat actor to escalate its attack from data theft to anything up to infecting its victims with ransomware.”
Another stealer malware family that has received steady improvements is Mystic Stealer, which has also added a loader functionality in recent versions to complement its information-stealing abilities.
No Comments