THREAT PROFILE JUPYTER INFOSTEALER 2© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER Introduction................................................................................................... 3 Inno Setup Attack Phase.............................................................................. 4 C2 Jupyter Client............................................................................................ 6 PowerShell Intermediate Loader..............................................................13 Jupyter Infostealer......................................................................................13 Conclusion...................................................................................................16 IOCS..............................................................................................................16 About MORPHISEC......................................................................................18 3© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER INTRODUCTION An Infostealer is a trojan that is designed to gather and exfiltrate private and sensitive information from a target system. There is a large variety of info stealers active in the wild, some are independent and some act as a modular part of a larger task such as a Banking Trojan (Trickbot) or a RAT. Infostealers are usually lightweight and stealthy payloads that do not have persistence or propagation (get-in and get-out) capabilities. This type of trojan is particularly difficult to detect as it leaves an extremely small footprint. During what began as a routine incident response process, Morphisec has identified (and prevented) a new .NET infostealer variant called Jupyter. Morphisec discovered this variant as part of assisting a higher education customer in the U.S. with their incident response. Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality. These include: • a C2 client • download and execute malware • execution of PowerShell scripts and commands • hollowing shellcode into legitimate windows configuration applications. Jupyter’s attack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf. Some of these installers have maintained 0 detections in VirusTotal over the last 6 months, making it exceptional at bypassing most endpoint security scanning controls. Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules. The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation. These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer. Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them. This is not the only piece of evidence that this attack is likely Russian in origin. First, there is the noticeable Russian to English misspelling of the planet name. Additionally, Morphisec researchers ran a reverse Google Image search of the C2 admin panel image and were not surprised to find the exact image on Russian-language forums. This report details the changes and evolution of the Jupyter infostealer and its backdoor component. 4© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER INNO SETUP ATTACK PHASE Inno Setup, a free software-script driven installation system with many legitimate uses, is leveraged as the first stage of the attack. The Inno Setup executable usually comes as a zipped file and has a low detection rate in VirusTotal. Figure 1: Inno Setup’s detection in Virus Total. In order to deceive the victim, and convince them to open the executable, it uses Microsoft Word icons and names, such as: • The-Electoral-Process-Worksheet-Key.exe • Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe • Excel-Pay-Increase-Spreadsheet-Turotial-Bennett.exe • Sample-Letter-For-Emergency-Travel-Document Figure 2: Detection antivirus results. 5© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER When running, the installer executes legitimate tools such as Docx2Rtf, Magix Photo Manager (view and edit photos), etc. In the background it drops two files to a temporary directory. One file is a PowerShell script that is executed by the malicious installer. This PowerShell script reads the second file, and then decrypts and runs it as the next stage. When running, the installer executes legitimate tools such as Docx2Rtf, Magix Photo Manager (view and edit photos), etc. Figure 3: The PowerShell script. The decoded PowerShell drops two files in a random directory in the Application Data Folder. Once again, one file is responsible for decrypting the other. This time it’s a CMD batch script that executes PowerShell to decrypt the in-memory managed .NET assembly and run it. Additionally, it uses the PoshC2 persistence method in newer versions of the installer. It creates a LNK file and places it directly in the Windows startup folder for persistence. Figure 4: PoshC2 persistency https://github.com/nettitude/PoshC2/blob/master/resources/modules/Stage2-Core.ps1 6© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER C2 JUPYTER CLIENT INTRODUCTION As mentioned previously, Jupyter’s client is a highly maintained component. Progressively upgraded versions have been leveraged over the last five to six months, and Morphisec researchers have identified more than nine version upgrades in a single month. The following analysis will cover the different updates that were introduced to the protocol, unique ID computation, and the various capabilities that have been added and removed. VERSIONS: DN-DN/1.2: Creation date: 2020-05-11 SHA-1: 26AF2E85B0A50BF2352D46350744D4997448E51D This was the first version seen in the wild. It holds the C2 address and its version as variables and collects information from the infected machine such as: Computer name, OS version, architecture, permissions, UID. Figure 5: Version DN-DN/1.2 of Jupyter. The Unique Identifier (HWID) is generated based on the user name, computer name, and physical media serial number. 7© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER Figure 6: How the Unique ID is generated. The information is converted to bytes and sent as part of the GET request. The version of the loader that is used is based on information about the victim. The options for the next stage are: • Drop and Execute a PowerShell script • Drop and Execute application • Drop and Inject a shellcode into a Microsoft legitimate process, “msinfo32.exe,” using a standard Process Hollowing technique. The payload (PowerShell, executable, or shellcode) retrieved from the C2 is decoded using XOR with a decimal number. Figure 7: Options for the next stage. 8© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER Figure 8: The payload is decoded. DN-DN/1.7: Creation date: 2020-06-21 SHA-1: ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9 This version added the Workgroup to the collected information. Figure 9: Workgroup is added to the information being collected. 9© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER It also added a FingerPrint class that generates the UID (HWID) based on the following properties. Figure 10: The FingerPrint class is added. DN-DN/FB1: Creation date: 2020-09-24 SHA-1: f76e293d627c55eca18ce96e587fb8c6e37d8206 This version removed the FingerPrint class and added LdrConfig class that holds the loader configuration (C2 address and loader version). Figure 11: The LdrConfig class is added. The UID (HWID) is generated based on 32 random bytes and saved to the disk as solarmarker.dat. 10© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER Figure 12: The UID is saved as solarmarker.dat. DR/1.0: Creation date: 2020-10-05 SHA-1: 8133304181d209cb302fbcdbf3965b0b5c7fa20c In this version, the Process Hollowing option was removed for a new option – a get PowerShell command to run in-memory. It also changed the version naming convention from DN-DN to DR and added a XOR key to the configuration class. Figure 13: Process Hollowing is replaced by “get PowerShell.” 11© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER There are also the additional JSON classes in order to parse the new communication protocol. All of the requests to and from the C2 are base64 decoded/encoded and XORed with the pre-configured key. This new protocol is added to the victim’s collected information as protocol_version:1 with a new key called action that indicates to the C2 which stage it’s in. Figure 14: The encoding of the new protocol. The above JSON is sent with the action “ping,” and as a response it gets the following JSON: {“status”: , “type”: , “task_id”: }. • “status”: file, command or idle. • “type”: ps1, exe. • “task_id”: ID of the current attack. 12© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER In the case of “status”:“command,” the powershell command will be retrieved and run without writing the command to disk. If “type” is “ps1”/“exe,” a random named powershell/exe file will be created in the Temp directory. Then, the following request will be sent to the C2 to get the powershell command: {“action”:”get_file”,”hwid”:,”task_id”:,”protocol_version”:1}. The command is then written to the previously created random file and executed. This stage will be discussed in a subsequent section. While the next stage is running, another request gets sent to the C2 with the action: {“action”:”change_ status”,”hwid”:,”task_id”: ,”is_success”:true,”protocol_version”:1}. This indicates that the next stage is running successfully. The response is then {“status”: “idle”}, which enters the process to a loop waiting for the next commands. DR/1.1: Creation date: 2020-10-13 SHA-1: d5a6ebdd65398f0a3591900192992220df49b03c In this phase, the creators added the domain name into the information they’re seeking to collect. All the other collected information remains the same; they haven’t deleted anything or changed anything else from the previous version. Figure 15: The domain name is added. 13© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER DR/1.4: Creation date: 2020-11-03 SHA-1: aecd083118b9333133c2f43f85558730285ed292 There were no significant or interesting changes from version DR/1.1 POWERSHELL INTERMEDIATE LOADER In most cases, based on the availability of active C2 connections, the next stage is a PowerShell script that is downloaded by the Jupyter C2 client as described in a previous section. The PowerShell script holds a base64 encoded blob and a XOR key that is similar to the previously mentioned PowerShell scripts. It decrypts the base64 blob (another .NET assembly) and, once again, runs it in-memory. Figure 16: The PowerShell intermediate loader. JUPYTER INFOSTEALER INTRODUCTION The decrypted .NET assembly blob is the Jupyter infostealer. It has a different C2 address and different version number adhering to the patterns of the C2 client. It also implements similar obfuscation patterns. Figure 17: The Jupyter infostealer .NET assembly blob. Initially Morphisec researchers identified that all the infostealer payloads had the same namespace, Jupyter. Later, they traced the random DLLs to the original first version of Jupyter and identified that it was its original 14© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER filename. Furthermore, it looks like the adversaries have a special interest in the planet Jupiter as an image of the planet is found on the main page of the admin panel accessed by the infostealer. As stated in the introduction, the image was most likely extracted from a Russian-language forum, which wasn’t a big surprise considering the fact that all the investigated C2s point back to Russia. VERSIONS: CS-DN/1.3: Creation date: 2020-06 SHA-1: 864fa452bef69f877917c6feebf245e77a213c9d This is the first version seen in the wild of the infostealer. Stealing information (autocomplete, cookies, and passwords) only from Chrome browsers, it uses the same FingerPrint class mentioned in the previous stage to get the UID. Figure 18: Jupyter version CS-DN/1.3. It copies the stolen information to another directory, and then reads the information from there to avoid triggering alerts. This allows it to evade defenses and continue on to achieving the attacker’s ultimate goal of exfiltration. Figure 19: Jupyter’s defense evasion. 15© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER CS-DN/1.8: Creation date: 2020-10-07 SHA-1: 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688 This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection. Figure 20: Jupyter added Firefox information stealing. All of the stolen information is sent to the configured C2, which is different from the loader. At the time of writing this, the admin panel was still active. Figure 21: The admin panel. 16© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER CONCLUSION Every version of the Jupyter infostealer adds yet another unknown element to the attack so that detection- centric solutions can be evaded and continuously bypassed. As our analysis shows, the infostealer creator constantly changes the code to collect more information and more efficiently evade detection without causing alerts. Jupyter and similarly evolving attacks make clear the fundamental issue with detection-centric tools because they show that the adversary can consistently iterate on their attack to stay ahead of the defender. Morphisec customers are secured against unknown attacks like this without needing to detect any portion of the attack chain through the zero trust runtime environment created by our moving target defense technology. IOCS Yara: rule Jupyter_Infostealer { meta: description = “Rule to detect Jupyter Infostealer” author = “Morphisec labs strings: $uid = “\”hwid\”:” wide $version_loader1 = “DR/” wide $version_loader2 = “DN-DN/” wide $version_jupyter = “CS-DN/” wide condition: uint16(0) == 0x5A4D and $uid and 1 of ($version*) } Zip: • 02a52b218756fa65e9fd8a9acb75202afd150e4c • ce9d62978c8af736935af5ed1808bfc829cbb546 • 591f33f968ed00c72e2064e54ccb641272681cb4 Installer (from zipped folder): • b2ed7e45eec9afb74ffbfa90495824945b8a84c7 • 6ad28e1810eb1be26e835e5224e78e13576887b9 • 3854bc3263c1bf3e3a79c0310e1b972bcb17b8a5 • 59488aa15eeb47cd0b024c8a117db82f1bc17a80 • 5bc62d38e3249c9e5cb6fe2cb4e11b4dfb3c8917 17© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER C2 Jupyter client: • 26af2e85b0a50bf2352d46350744d4997448e51d • 1478b1ead914f03d801087dc0b4cca07b19c7f53 • ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9 • f76e293d627c55eca18ce96e587fb8c6e37d8206 • 8133304181d209cb302fbcdbf3965b0b5c7fa20c • aecd083118b9333133c2f43f85558730285ed292 Jupyter Infostealer: • 261ed0f6c7b5052a6f4275a2c4d3207e56333b05 • 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688 • 864fa452bef69f877917c6feebf245e77a213c9d (the original one without firefox and with original UID) C2: • 45.135.232[.]131 • 45.146.165[.]222 • 45.146.165[.]219 • 91.241.19[.]21 • gogohid[.]com • spacetruck[.]biz • blackl1vesmatter[.]org • Mixblazerteam[.]com • vincentolife[.]com/j • On-offtrack[.]biz 18© 2020 Morphisec Inc. | www.morphisec.com THREAT PROFILE: JUPYTER INFOSTEALER ABOUT MORPHISEC Morphisec delivers an entirely new level of innovation to customers with its patented Moving Target Defense technology - placing defenders in a prevent-first posture against the most advanced threats to the enterprise, including APTs, zero-days, ransomware, evasive fileless attacks and web-borne exploits. Morphisec provides a crucial, smallfootprint memory-defense layer that easily deploys into a company’s existing security infrastructure to form a simple, highly effective, cost-efficient prevention stack that is truly disruptive to today’s existing cybersecurity model. INTRODUCTION INNO SETUP ATTACK PHASE C2 JUPYTER CLIENT Powershell intermediate loader Jupyter infostealer Conclusion IOCS About MORPHISEC