Jupyter Infostealer: Watch BlackBerry Bring It Down to Earth (Video)

Jupyter Infostealer lurks deep within legitimate installer packages, waiting for any opportunity to steal sensitive user data. After activation, this threat receives executables and malicious PowerShell scripts from its command-and-control (C2) server, including an infostealing module which swipes the user’s log-on credentials, administrative rights, workgroup and browser password databases.

Jupyter can also grab cookies from common browsers such as Google Chrome™, Microsoft Edge®, Opera, Brave, and Mozilla Firefox, along with login information and “autofill” data such as the user’s name, physical address, and email. Like many other information stealers, Jupyter also targets crypto wallets, as well as virtual private networks (VPNs) and remote access software.

In the past, Jupyter has gone by many names, including SolarMarker/Deimos, Polazert, and Yellow Cockatoo. Malware authors have continued improving its stealth features. For example, Jupyter is often wrapped with .MSIs, which are large Windows® installer packages. Commonly, these packages are signed with legitimate digital certificates. While the packages’ legitimate files run, Jupyter executes malicious actions in the background through a small, well-hidden PowerShell script.

The developers of this infostealer do not appear to target specific organizations and seem to lack a fixed agenda. They instead tend to target any user who might fall into Jupyter's deceptive trap which makes it a widespread threat.

BlackBerry Stonewalls Jupyter Infostealer

Watch our demo video below to learn more about Jupyter Infostealer attacks. See how BlackBerry defeats them using our cloud-enabled Endpoint Detection and Response (EDR) solution CylanceOPTICS® in conjunction with CylancePROTECT®, our artificial intelligence (AI) powered Endpoint Protection Platform (EPP).

DEMO VIDEO: BlackBerry vs. Jupyter Infostealer

Learn more about Jupyter Infostealer in our deep-dive blog, Threat Thursday: Jupyter Infostealer is a Master of Disguise.

Figure 1 – CylanceOPTICS detects each step Jupyter has taken in the system’s registry, providing essential information for threat containment and prevention.

Figure 2 – CylancePROTECT intercepts Jupyter immediately, preemptively stopping the attack before any damage occurs.

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

Video Transcript

In this video we are going to analyze Jupyter, an infostealer – considered a master of deception – that hides deep within legitimate installer packages. We configured our machine with CylanceOPTICS® in “audit only” mode to allow Jupyter's execution.

In this case, the file appears to be an installer of a legitimate known PDF reader that is more than 100 megabytes in size and does not trigger any alert on the system. It is a signed document with a valid certificate. However, deep within the code resides a relatively small, heavily obfuscated and encrypted PowerShell script that will run in the background. It looks just like a legitimate application, and it goes with the actual installation process.

Upon infection, it applies persistence on the registry and adds itself to the startup applications. Afterward, the attacker can deploy modules to steal user credentials and information across well-known internet browsers and crypto wallets.

To better understand what happens in the background, we can look at our root cause analysis on this file, where we can see all the network communication that has happened to download the necessary malicious files. We can also see the steps taken by this malware on our ‘detections’ tab with all the alerts that have been triggered from a process without common executable extensions, as well as what Jupyter has done in the registry to secure its persistence.

For additional analysis, we can get more details about this file by identifying its properties, the certificate that has been used to sign the file, how many endpoints it has been detected on, as well as an extensive list of malicious threat indicators. These include the files’ anomalies, collection capabilities, deception, and destruction indicators.

When it comes to preventing these types of threats, CylancePROTECT® provides multiple layers of AI-based prevention to stop the PowerShell script, with script control to intercept its attempt to load the malicious DLL into memory, memory protection, and convicting the file with our machine learning model.

Related Reading

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back