Researchers from Morphisec spoke about Jupyter malware, written in .NET and found on the network of an unnamed US educational institution.
According to experts, the Trojan has been active since at least May of this year and is primarily aimed at stealing data from the Chromium, Firefox and Chrome browsers. In addition, the malware also tries to create a persistent backdoor on the compromised system that allows attackers to execute PowerShell scripts and commands, and also allows attackers to download and execute additional malware.
The Jupyter installer is usually an executable file hidden in a ZIP archive. This executable is often disguised using Microsoft Word icons and filenames that prompt the user to open them immediately (supposedly related to important travel or pay raises).
Once installed on a system, Jupyter steals data from the victim's browser, including usernames, passwords, autocomplete data, browsing history, and cookies. The malware sends the collected information to its command and control server.
The researchers write that the Jupyter developer is constantly modifying and supplementing the original in an effort to collect as much information as possible about the compromised machines. It is not yet clear what the ultimate goal of this campaign is, but in theory, stolen data could be used for sale, and hackers could also use compromised machines as entry points into companies' networks for further attacks.
According to Morphisec experts, Jupyter was developed in Russia. For example, the control servers of the malware are located on the territory of the Russian Federation, and in the administrative panel of the malware you can find an image of the planet Jupiter, the original of which was found by researchers on a Russian-language hacker forum. Moreover, the picture is signed exactly as "Jupyter", although the name of the planet is translated into English as "Jupiter", that is, the author of the malware does not seem to know English very well.