Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 25, 2023
Severity High Analysis Summary In a notable case, an 18-year-old member of the Lapsus$ data extortion group, Arion Kurtaj, has been convicted by a London jury […]August 25, 2023
Severity High Analysis Summary The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk […]August 25, 2023
Severity High Analysis Summary REvil/Sodinokibi, also known as Sodin, is a sophisticated ransomware discovered in April 2019. This elusive malware encrypts files and cleverly erases its […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 25, 2023
Severity High Analysis Summary In a notable case, an 18-year-old member of the Lapsus$ data extortion group, Arion Kurtaj, has been convicted by a London jury […]August 25, 2023
Severity High Analysis Summary The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk […]August 25, 2023
Severity High Analysis Summary REvil/Sodinokibi, also known as Sodin, is a sophisticated ransomware discovered in April 2019. This elusive malware encrypts files and cleverly erases its […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Microsoft Office 365 Active Credential Phishing Campaign
November 18, 2020
Rewterz Threat Alert – China Linked APT FunnyDream targets South East Asian government
November 18, 2020
Severity
High
Analysis Summary
A newly discovered Jupyter Trojan that is designed to gather and exfiltrate private and sensitive information from a target system. Jupyteris an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.
Attack Chain
Jupyter’sattack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf. Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.
The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation. These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.
Impact
- Browser data
- Exposure of sensitive information
Indicators of Compromise
Domain Name
- spacetruck[.]biz
- blackl1vesmatter[.]org
- vincentolife[.]com
- gogohid[.]com
MD5
- d30aa0149240031aafd4f57566cefb8d
- f7d9f73724462480462584b17be3ea82
- 06d74236c0066ecc4e733b0258ffe61d
- 1b341ab4421cdf28427858700ef41deb
- 63c9ace2fb8d1cb7eccf4e861d0e4e45
- 7be0725643c89e332b0434536a96de50
- 4103ba80694bab9cdd83df5a527378aa
- dbff4b0b195a9c771966d775ae9c1d4e
- 4eb6170524b5e18d95bb56b937e89b36
SHA-256
- 056c470dc745e56cbbe069d3c43a557f697e7f2afbd83c14471a1bdbf013e4af
- e57aa0e04235eef2c73870e07931d53efc1869743e0d6d07fc5c3ef3d71e464a
- 30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85
- 3147cd2ee6938d50d2cdc7e157ad1125de2229bb35454cbde502746d6a36154d
- 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01
- f16630378ba5cd07f2e131f3afa483c6f722406702d9201450c3be17f8b1081e
- 9d63af1cb88bb6b65e1d6c1f4467a728aeff1b8d07c2ef8c9b2e2f40b696a154
- a1a9137dea275aa805e5640f6450366dbf6e10be066e5c12c34904e45e469c4c
- 33d7f3bb788ea4bf9fffba9e528ec62ad38f02d03e63f78e427238f90a9ac75d
SHA1
- 6ad28e1810eb1be26e835e5224e78e13576887b9
- 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688
- f76e293d627c55eca18ce96e587fb8c6e37d8206
- d5a6ebdd65398f0a3591900192992220df49b03c
- 59488aa15eeb47cd0b024c8a117db82f1bc17a80
- 864fa452bef69f877917c6feebf245e77a213c9d
- b2ed7e45eec9afb74ffbfa90495824945b8a84c7
- ce9d62978c8af736935af5ed1808bfc829cbb546
- aecd083118b9333133c2f43f85558730285ed292
- 591f33f968ed00c72e2064e54ccb641272681cb4
- 3854bc3263c1bf3e3a79c0310e1b972bcb17b8a5
- 02a52b218756fa65e9fd8a9acb75202afd150e4c
- ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9
- 1478b1ead914f03d801087dc0b4cca07b19c7f53
- 26af2e85b0a50bf2352d46350744d4997448e51d
- 261ed0f6c7b5052a6f4275a2c4d3207e56333b05
- 8133304181d209cb302fbcdbf3965b0b5c7fa20c
- 5bc62d38e3249c9e5cb6fe2cb4e11b4dfb3c8917
URL
- http[:]//vincentolife[.]com/j
Remediation
- Block the threat indicators at their respective controls.
- Keep your browsers updated to latest patched versions against all known vulnerabilities.
- Do not download untrusted files/zip files from random sources on the internet or those coming from unknown email addresses.
- Do not execute untrusted files on your system.