<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Thwarting Jupyter Stealer

Jupyter Stealer is an evolving info stealer that is commonly spread using backdoored installations. We have recently encountered a new and improved version of this malware, which allows its operator to upload and execute new payloads to infected devices.

The sample we analyzed came bundled with YTD Video Downloader & Video Converter, which is a popular software for downloading music and videos from the web. This installation orchestrates the whole infection process by dropping an encrypted PowerShell script that will be decrypted and executed by a hidden PowerShell process. Once decrypted, the script is responsible for setting up persistence, using the algorithm described here.

Our variant connects to its C&C server and sends back the computer information (in an encrypted form). It does not include the credentials stealing functionality hardcoded anymore, instead, it gets all functional modules from the C&C server. One of the malware's capabilities, is to upload and execute .exe and .ps1 files to the victim’s machine. This leaves an attacker with the ability not only to execute different types of attacks, but also to steal any information from the victim’s computer.

Minerva Labs prevents Jupyter malware with our Living-off-the-Land Prevention technology, which interferes with attempts to misuse tools built into the system with the intention of causing damage. This module prevents threats from “trampolining” off such tools to infect the endpoint or cause damage. 

prevents endpoint infection

 

IOC’s:

Hash:

C5C5B2D3F6E37851DEE79B1B2B19AA7D

DNS:

http://185.244.213[.]64

http://37.120.247[.]125



Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all