New variant of the Jupyter malware

Jupyter is an infostealer of probable Russian origin designed to steal victims’ personal and sensitive information. Its primary function is to extract stored information within browsers such as Chromium, Firefox, and Chrome; it also includes backdoor functionality, which allows threat actors to execute PowerShell code and install additional malware on compromised machines. It is known as a multi-stage packed malware, heavily obfuscated, which through PowerShell code leads to the execution of a .NET backdoor.

A new variant of this infostealer has recently been identified (link). The compromise chain begins through an MSI file exceeding 100 MB in size. This size allows it to evade detection by online antivirus engines. The file appears to have been created using a trial version of Advanced Installer software, which enables the creation of all-in-one application packages.

General information:

Execution of the MSI payload triggers PowerShell code embedded within a legitimate Nitro Pro 13 binary. In the final execution phase of the sample, the Jupyter .NET module is decoded and executed in memory. During execution, contact is established with the C2 server domain at 37.120.237[.]251.

Sample relationships:

Two variants have been identified bearing certificates belonging to a Polish company. It is assessed that threat actors obtained the certificate through a cyber attack against that organization. Analysis of such certificate abuse patterns is a critical component of Cyber Threat Intelligence operations, enabling defenders to correlate infrastructure reuse and supply-chain compromise indicators.