## THREAT PROFILE # JUPYTER INFOSTEALER ----- #### Introduction...................................................................................................3 Inno Setup Attack Phase..............................................................................4 C2 Jupyter Client............................................................................................6 PowerShell Intermediate Loader..............................................................13 Jupyter Infostealer......................................................................................13 Conclusion...................................................................................................16 IOCS..............................................................................................................16 About MORPHISEC......................................................................................18 ----- ###### INTRODUCTION An Infostealer is a trojan that is designed to 0 detections in VirusTotal over the last 6 gather and exfiltrate private and sensitive months, making it exceptional at bypassing information from a target system. There is most endpoint security scanning controls. a large variety of info stealers active in the Upon execution of the installer, a .NET wild, some are independent and some act C2 client (Jupyter Loader) is injected into as a modular part of a larger task such as a a memory. This client has a well defined Banking Trojan (Trickbot) or a RAT. communication protocol, versioning matrix, Infostealers are usually lightweight and has recently included persistence and stealthy payloads that do not have modules. persistence or propagation (get-in and The client then downloads the next stage, get-out) capabilities. This type of trojan is a PowerShell command that executes the particularly difficult to detect as it leaves an in-memory Jupyter .NET module. Both of extremely small footprint. the .Net components have similar code During what began as a routine incident structures, obfuscation, and unique UID response process, Morphisec has identified implementation. These commonalities (and prevented) a new .NET infostealer indicate the development of an end to end variant called Jupyter. Morphisec framework for implementing the Jupyter discovered this variant as part of assisting a Infostealer. higher education customer in the U.S. with their incident response. Morphisec has monitored a steady stream of forensic data to trace multiple versions Jupyter is an infostealer that primarily of Jupyter starting in May 2020. While targets Chromium, Firefox, and Chrome browser data. However, its attack chain, many of the C2s are no longer active, they delivery, and loader demonstrate additional consistently mapped to Russia when we capabilities for full backdoor functionality. were able to identify them. These include: This is not the only piece of evidence that • a C2 client this attack is likely Russian in origin. First, • download and execute malware there is the noticeable Russian to English • execution of PowerShell scripts and misspelling of the planet name. Additionally, commands Morphisec researchers ran a reverse Google • hollowing shellcode into legitimate Image search of the C2 admin panel image windows configuration applications. and were not surprised to find the exact Jupyter’s attack chain typically starts with a image on Russian-language forums. downloaded zip file that contains an installer, an executable that usually impersonates This report details the changes and legitimate software such as Docx2Rtf. evolution of the Jupyter infostealer and its Some of these installers have maintained backdoor component. ----- ###### INNO SETUP ATTACK PHASE Inno Setup, a free software-script driven installation system with many legitimate uses, is leveraged as the first stage of the attack. The Inno Setup executable usually comes as a zipped file and has a low detection rate in VirusTotal. **Figure 1: Inno Setup’s detection in Virus Total.** In order to deceive the victim, and convince them to open the executable, it uses Microsoft Word icons and names, such as: - The-Electoral-Process-Worksheet-Key.exe - Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe - Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe - Sample-Letter-For-Emergency-Travel-Document **Figure 2: Detection antivirus results.** ----- When running, the installer executes legitimate tools such as Docx2Rtf, Magix Photo Manager (view and edit photos), etc. In the background it drops two files to a temporary directory. One file is a PowerShell script that is executed by the malicious installer. This PowerShell script reads the second file, and then decrypts and runs it as the next stage. **Figure 3: The PowerShell script.** ### When running, the installer executes legitimate tools such as Docx2Rtf, Magix Photo Manager (view and edit photos), etc. The decoded PowerShell drops two files in a random directory in the Application Data Folder. Once again, one file is responsible for decrypting the other. This time it’s a CMD batch script that executes PowerShell to decrypt the in-memory managed .NET assembly and run it. [Additionally, it uses the PoshC2 persistence method in newer](https://github.com/nettitude/PoshC2/blob/master/resources/modules/Stage2-Core.ps1) versions of the installer. It creates a LNK file and places it directly in the Windows startup folder for persistence. **Figure 4: PoshC2 persistency** ----- ###### C2 JUPYTER CLIENT INTRODUCTION As mentioned previously, Jupyter’s client is a highly maintained component. Progressively upgraded versions have been leveraged over the last five to six months, and Morphisec researchers have identified more than nine version upgrades in a single month. The following analysis will cover the different updates that were introduced to the protocol, unique ID computation, and the various capabilities that have been added and removed. **VERSIONS:** **_DN-DN/1.2:_** **Creation date: 2020-05-11** **SHA-1: 26AF2E85B0A50BF2352D46350744D4997448E51D** This was the first version seen in the wild. It holds the C2 address and its version as variables and collects information from the infected machine such as: Computer name, OS version, architecture, permissions, UID. **Figure 5: Version DN-DN/1.2 of Jupyter.** The Unique Identifier (HWID) is generated based on the user name, computer name, and physical media serial number. ----- **Figure 6: How the Unique ID is generated.** The information is converted to bytes and sent as part of the GET request. The version of the loader that is used is based on information about the victim. The options for the next stage are: - Drop and Execute a PowerShell script - Drop and Execute application - Drop and Inject a shellcode into a Microsoft legitimate process, “msinfo32.exe,” using a standard Process Hollowing technique. **Figure 7: Options for the next stage.** The payload (PowerShell, executable, or shellcode) retrieved from the C2 is decoded using XOR with a decimal number. ----- **Figure 8: The payload is decoded.** **_DN-DN/1.7:_** **Creation date: 2020-06-21** **SHA-1: ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9** This version added the Workgroup to the collected information. **Figure 9: Workgroup is added to the information being collected.** ----- It also added a FingerPrint class that generates the UID (HWID) based on the following properties. **Figure 10: The FingerPrint class is added.** **_DN-DN/FB1:_** **Creation date: 2020-09-24** **SHA-1: f76e293d627c55eca18ce96e587fb8c6e37d8206** This version removed the FingerPrint class and added LdrConfig class that holds the loader configuration (C2 address and loader version). **Figure 11: The LdrConfig class is added.** The UID (HWID) is generated based on 32 random bytes and saved to the disk as solarmarker.dat. ----- **Figure 12: The UID is saved as solarmarker.dat.** **_DR/1.0:_** **Creation date: 2020-10-05** **SHA-1: 8133304181d209cb302fbcdbf3965b0b5c7fa20c** In this version, the Process Hollowing option was removed for a new option – a get PowerShell command to run in-memory. It also changed the version naming convention from DN-DN to DR and added a XOR key to the configuration class. **Figure 13: Process Hollowing is replaced by “get PowerShell.”** ----- There are also the additional JSON classes in order to parse the new communication protocol. All of the requests to and from the C2 are base64 decoded/encoded and XORed with the pre-configured key. This new protocol is added to the victim’s collected information as protocol_version:1 with a new key called action that indicates to the C2 which stage it’s in. **Figure 14: The encoding of the new protocol.** The above JSON is sent with the action “ping,” and as a response it gets the following JSON: {“status”: , “type”: , “task_id”: }. - “status”: file, command or idle. - “type”: ps1, exe. - “task_id”: ID of the current attack. ----- In the case of “status”:“command,” the powershell command will be retrieved and run without writing the command to disk. If “type” is “ps1”/“exe,” a random named powershell/exe file will be created in the Temp directory. Then, the following request will be sent to the C2 to get the powershell command: {“action”:”get_file”,”hwid”:,”task_id”:,”protocol_version”:1}. The command is then written to the previously created random file and executed. This stage will be discussed in a subsequent section. While the next stage is running, another request gets sent to the C2 with the action: {“action”:”change_ status”,”hwid”:,”task_id”: ,”is_success”:true,”protocol_version”:1}. This indicates that the next stage is running successfully. The response is then {“status”: “idle”}, which enters the process to a loop waiting for the next commands. **_DR/1.1:_** **Creation date: 2020-10-13** **SHA-1: d5a6ebdd65398f0a3591900192992220df49b03c** In this phase, the creators added the domain name into the information they’re seeking to collect. All the other collected information remains the same; they haven’t deleted anything or changed anything else from the previous version. **Figure 15: The domain name is added.** ----- **_DR/1.4:_** **Creation date: 2020-11-03** **SHA-1: aecd083118b9333133c2f43f85558730285ed292** There were no significant or interesting changes from version DR/1.1 ###### POWERSHELL INTERMEDIATE LOADER In most cases, based on the availability of active C2 connections, the next stage is a PowerShell script that is downloaded by the Jupyter C2 client as described in a previous section. The PowerShell script holds a base64 encoded blob and a XOR key that is similar to the previously mentioned PowerShell scripts. It decrypts the base64 blob (another .NET assembly) and, once again, runs it in-memory. **Figure 16: The PowerShell intermediate loader.** ###### JUPYTER INFOSTEALER **INTRODUCTION** The decrypted .NET assembly blob is the Jupyter infostealer. It has a different C2 address and different version number adhering to the patterns of the C2 client. It also implements similar obfuscation patterns. **Figure 17: The Jupyter infostealer .NET assembly blob.** Initially Morphisec researchers identified that all the infostealer payloads had the same namespace, Jupyter. Later, they traced the random DLLs to the original first version of Jupyter and identified that it was its original ----- filename. Furthermore, it looks like the adversaries have a special interest in the planet Jupiter as an image of the planet is found on the main page of the admin panel accessed by the infostealer. As stated in the introduction, the image was most likely extracted from a Russian-language forum, which wasn’t a big surprise considering the fact that all the investigated C2s point back to Russia. **VERSIONS:** **_CS-DN/1.3:_** **Creation date: 2020-06** **SHA-1: 864fa452bef69f877917c6feebf245e77a213c9d** This is the first version seen in the wild of the infostealer. Stealing information (autocomplete, cookies, and passwords) only from Chrome browsers, it uses the same FingerPrint class mentioned in the previous stage to get the UID. **Figure 18: Jupyter version CS-DN/1.3.** It copies the stolen information to another directory, and then reads the information from there to avoid triggering alerts. This allows it to evade defenses and continue on to achieving the attacker’s ultimate goal of exfiltration. **Figure 19: Jupyter’s defense evasion.** ----- **_CS-DN/1.8:_** **Creation date: 2020-10-07** **SHA-1: 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688** This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection. **Figure 20: Jupyter added Firefox information stealing.** All of the stolen information is sent to the configured C2, which is different from the loader. At the time of writing this, the admin panel was still active. **Figure 21: The admin panel.** ----- ###### CONCLUSION Every version of the Jupyter infostealer adds yet another unknown element to the attack so that detectioncentric solutions can be evaded and continuously bypassed. As our analysis shows, the infostealer creator constantly changes the code to collect more information and more efficiently evade detection without causing alerts. Jupyter and similarly evolving attacks make clear the fundamental issue with detection-centric tools because they show that the adversary can consistently iterate on their attack to stay ahead of the defender. Morphisec customers are secured against unknown attacks like this without needing to detect any portion of the attack chain through the zero trust runtime environment created by our moving target defense technology. ###### IOCS Yara: rule Jupyter_Infostealer { meta: description = “Rule to detect Jupyter Infostealer” author = “Morphisec labs strings: $uid = “\”hwid\”:” wide $version_loader1 = “DR/” wide $version_loader2 = “DN-DN/” wide $version_jupyter = “CS-DN/” wide condition: uint16(0) == 0x5A4D and $uid and 1 of ($version*) } **Zip:** - 02a52b218756fa65e9fd8a9acb75202afd150e4c - ce9d62978c8af736935af5ed1808bfc829cbb546 - 591f33f968ed00c72e2064e54ccb641272681cb4 **Installer (from zipped folder):** - b2ed7e45eec9afb74ffbfa90495824945b8a84c7 - 6ad28e1810eb1be26e835e5224e78e13576887b9 - 3854bc3263c1bf3e3a79c0310e1b972bcb17b8a5 - 59488aa15eeb47cd0b024c8a117db82f1bc17a80 - 5bc62d38e3249c9e5cb6fe2cb4e11b4dfb3c8917 ----- ###### C2 Jupyter client: - 26af2e85b0a50bf2352d46350744d4997448e51d - 1478b1ead914f03d801087dc0b4cca07b19c7f53 - ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9 - f76e293d627c55eca18ce96e587fb8c6e37d8206 - 8133304181d209cb302fbcdbf3965b0b5c7fa20c - aecd083118b9333133c2f43f85558730285ed292 ###### Jupyter Infostealer: - 261ed0f6c7b5052a6f4275a2c4d3207e56333b05 - 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688 - 864fa452bef69f877917c6feebf245e77a213c9d (the original one without firefox and with original UID) ##### C2: - 45.135.232[.]131 - 45.146.165[.]222 - 45.146.165[.]219 - 91.241.19[.]21 - gogohid[.]com - spacetruck[.]biz - blackl1vesmatter[.]org - Mixblazerteam[.]com - vincentolife[.]com/j - On-offtrack[.]biz ----- ###### ABOUT MORPHISEC Morphisec delivers an entirely new level of innovation to customers with its patented Moving Target Defense technology - placing defenders in a prevent-first posture against the most advanced threats to the enterprise, including APTs, zero-days, ransomware, evasive fileless attacks and web-borne exploits. Morphisec provides a crucial, smallfootprint memory-defense layer that easily deploys into a company’s existing security infrastructure to form a simple, highly effective, cost-efficient prevention stack that is truly disruptive to today’s existing cybersecurity model. -----