The notorious Jupyter Infostealer malware variant, which has been causing damage since its discovery in late 2020, is evolving and becoming an even more dangerous threat to cybersecurity.
According to VMware, recent developments in this virus have revealed a clear trend toward improved evasion strategies, to avoid detection ensuring permanent compromise of victims’ systems.
With their expertise in combating this malicious software, the Carbon Black Managed Detection and Response (MDR) Team has recognized these new variations and the evolving techniques they deploy.
Rising Infection Rates
The Carbon Black MDR Team has seen a considerable spike in Jupyter Infostealer infections during the last two weeks, with the overall number now standing at 26.
This increase in infections has alarmed cybersecurity experts and researchers who have been closely following the malware’s activity. Security analysts such as SquiblydooBlog have taken note of the recent changes in Jupyter Infostealer.
Jupyter Infostealer primarily targets the Education and Health sectors, aiming to compromise sensitive data. It is commonly delivered through various methods, including malicious websites, drive-by downloads, and phishing emails.
Victims often unknowingly download the malware by visiting compromised websites or clicking on malicious ads. The most frequently exploited web browsers for downloading this malware are Firefox, Chrome, and Edge.
Manipulation of Certificates and Signatures
One of the most notable characteristics of these new Jupyter Infostealer variants is their use of genuine certificates to avoid detection.
The malware signs its files with several certificates, giving the illusion of legality and garnering trust, finally granting access to the victim’s PC.
Threat actors are especially interested in gaining these credentials since they can considerably boost the success rate of their attacks.
Recent Jupyter Infostealer attacks have also used PowerShell command modifications and private key signatures to disguise the virus as a valid file.
This strategy seeks to further obscure the presence of malware and make it more difficult to detect. These signatures, together with PowerShell command manipulation, contribute to the malware’s covert behavior.
Payload Execution and Network Connections
Jupyter Infostealer gains a footing on a victim’s system by launching PowerShell commands to connect to its command-and-control (C2) server.
These commands are used to decode and execute the malicious payload, confounding detection even more. The malware also uses files saved in the %Temp% directory as decoys, making it difficult for victims to detect malicious activity.
