An updated version of an information stealer malware known as Jupyter
has resurfaced with “simple yet impactful changes” that aim to
stealthily establish a persistent foothold on compromised systems.
“The team has discovered new waves of Jupyter Infostealer attacks
which leverage PowerShell command modifications and signatures of
private keys in attempts to pass off the malware as a legitimately
signed file,” VMware Carbon Black researchers said in a report shared with The Hacker News.
Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record
of leveraging manipulated search engine optimization (SEO) tactics and
malvertising as an initial access vector to trick users searching for
popular software into downloading it from dubious websites.
It comes with capabilities to harvest credentials as well as
establish encrypted command-and-control (C2) communication to exfiltrate
data and execute arbitrary commands.
The latest set of artifacts uses various certificates to sign the
malware to lend them a veneer of legitimacy, only for the fake
installers to activate the infection chain upon launch.
The installers are designed to invoke an interim payload that, in
turn, employs PowerShell to connect to a remote server and ultimately
decode and launch the stealer malware.
The development comes as stealer malware offered for sale on the
cybercrime underground continues to evolve with new tactics and
techniques, effectively lowering the barrier to entry for lesser-skilled
actors.
This includes an update to Lumma Stealer, which now incorporates a loader and the ability to randomly generate a build for improved obfuscation.
“This takes the malware from being a stealer type to a more devious
malware that can load second-stage attacks on its victims,” VMware said.
“The loader provides a way for the threat actor to escalate its attack
from data theft to anything up to infecting its victims with
ransomware.”
Another stealer malware family that has received steady improvements is Mystic Stealer, which has also added a loader functionality in recent versions to complement its information-stealing abilities.
“The code continues to evolve and expand the data theft capabilities
and the network communication was updated from a custom binary TCP-based
protocol to an HTTP-based protocol,” Zscaler said in a report late last month.
“The new modifications have led to increased popularity with criminal
threat actors leveraging its loader functionality to distribute
additional malware families including RedLine, DarkGate, and GCleaner.”
The constantly evolving nature of such malware is further exemplified
by the emergence of stealers and remote access trojans such as Akira Stealer and Millenium RAT, which come fitted with various features to facilitate data theft.
The disclosure also arrives as malware loaders like PrivateLoader and Amadey have been observed infecting thousands of devices with a proxy botnet dubbed Socks5Systemz, which has been around since 2016.
Cybersecurity firm Bitsight, which revealed details
of the service last week, said it identified at least 53 servers
related to the botnet that are distributed across France, Bulgaria,
Netherlands, and Sweden.
The ultimate goal of the campaign is to turn infected machines into proxies
capable of forwarding traffic for other actors, legitimate or
otherwise, as an additional layer of anonymity. It’s suspected that the
threat actors are of Russian origin, given the lack of infections in the
country.
“The proxy service allows clients to choose a subscription ranging
from $1 USD to $4,000 USD, payable in full using cryptocurrency,”
Bitsight said. “Based on network telemetry analysis, it is estimated
that this botnet has approximately 10,000 infected systems with victims
spread across the globe.”
Reference link here.