A newly discovered Jupyter Trojan that is designed to gather and exfiltrate private and sensitive information from a target system. Jupyteris an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.
Jupyter’sattack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf. Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.
The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation. These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.