Rewterz Threat Alert – A Newly discovered Jupyter Trojan

Severity

High

Analysis Summary

A newly discovered Jupyter Trojan that is designed to gather and exfiltrate private and sensitive information from a target system. Jupyteris an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.

Attack Chain 

Jupyter’sattack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf.  Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation. These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.

Impact

• Browser data
• Exposure of sensitive information

Indicators of Compromise

Domain Name

• spacetruck[.]biz
• blackl1vesmatter[.]org
• vincentolife[.]com
• gogohid[.]com

MD5

• d30aa0149240031aafd4f57566cefb8d
• f7d9f73724462480462584b17be3ea82
• 06d74236c0066ecc4e733b0258ffe61d
• 1b341ab4421cdf28427858700ef41deb
• 63c9ace2fb8d1cb7eccf4e861d0e4e45
• 7be0725643c89e332b0434536a96de50
• 4103ba80694bab9cdd83df5a527378aa
• dbff4b0b195a9c771966d775ae9c1d4e
• 4eb6170524b5e18d95bb56b937e89b36

SHA-256

• 056c470dc745e56cbbe069d3c43a557f697e7f2afbd83c14471a1bdbf013e4af
• e57aa0e04235eef2c73870e07931d53efc1869743e0d6d07fc5c3ef3d71e464a
• 30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85
• 3147cd2ee6938d50d2cdc7e157ad1125de2229bb35454cbde502746d6a36154d
• 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01
• f16630378ba5cd07f2e131f3afa483c6f722406702d9201450c3be17f8b1081e
• 9d63af1cb88bb6b65e1d6c1f4467a728aeff1b8d07c2ef8c9b2e2f40b696a154
• a1a9137dea275aa805e5640f6450366dbf6e10be066e5c12c34904e45e469c4c
• 33d7f3bb788ea4bf9fffba9e528ec62ad38f02d03e63f78e427238f90a9ac75d

SHA1

• 6ad28e1810eb1be26e835e5224e78e13576887b9
• 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688
• f76e293d627c55eca18ce96e587fb8c6e37d8206
• d5a6ebdd65398f0a3591900192992220df49b03c
• 59488aa15eeb47cd0b024c8a117db82f1bc17a80
• 864fa452bef69f877917c6feebf245e77a213c9d
• b2ed7e45eec9afb74ffbfa90495824945b8a84c7
• ce9d62978c8af736935af5ed1808bfc829cbb546
• aecd083118b9333133c2f43f85558730285ed292
• 591f33f968ed00c72e2064e54ccb641272681cb4
• 3854bc3263c1bf3e3a79c0310e1b972bcb17b8a5
• 02a52b218756fa65e9fd8a9acb75202afd150e4c
• ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9
• 1478b1ead914f03d801087dc0b4cca07b19c7f53
• 26af2e85b0a50bf2352d46350744d4997448e51d
• 261ed0f6c7b5052a6f4275a2c4d3207e56333b05
• 8133304181d209cb302fbcdbf3965b0b5c7fa20c
• 5bc62d38e3249c9e5cb6fe2cb4e11b4dfb3c8917

URL

• http[:]//vincentolife[.]com/j

Remediation

• Block the threat indicators at their respective controls.
• Keep your browsers updated to latest patched versions against all known vulnerabilities.
• Do not download untrusted files/zip files from random sources on the internet or those coming from unknown email addresses.
• Do not execute untrusted files on your system.