Jupyter: A Cyberspace Invader Stealing SLTT Data
The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) assesses with moderate confidence that Jupyter, a highly evasive and adaptive .NET infostealer, will continue to opportunistically target state, local, tribal, and territorial (SLTT) organizations. Cyber Threat Actors (CTAs) have deployed Jupyter widely, leveraging SEO-poisoning to create watering hole sites, increasingly infecting SLTT entities since September. Recommendations to better secure your organization are at the end of this report.
Jupyter (aka SolarMarker) deploys a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and user identifier.1 Jupyter is likely impacting SLTTs as part of a broader opportunistic effort, since the malware is affecting an array of sectors, including finance, healthcare, and education.2 Following aspike in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.
The MS-ISAC determined SLTT victims became aware of infections when their endpoint detection and response services (EDR) alerted on unauthorized PowerShell commands attempting to communicate with command and control (C2) traffic. The MS-ISAC continues to investigate why Jupyter operators are harvesting victim information, granting CTAs commonly leveraged infostealers for financial gain and intellectual property theft. Security researchers have observed the Jupyter operators adapting their techniques, tactics, and procedures (TTPs) and malware frequently, so intrusion details are likely to vary across infections.
Despite the irregularity in Jupyter TTPs, several features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress3 sites up search engine rankings, using a technique known as SEO-poisoning,4 thereby increasing the likelihood that an unsuspecting user will visit the page. Analysis of an SLTT Jupyter incident revealed that the initial infection occurred after an end-user attempted to download a malicious file embedded with an executable off a compromised website form. The malicious documents will often feature an unassuming name, such as ‘Assignment-Of-Proprietary-Lease-Form-.exe’ to lure users into interacting with it. The installer launches the malicious executable and then Nitro Pro 13 will execute an over 100MB MSI payload, allowing it to bypass antivirus software due to file size limitations.
All observed attacks have shared the objective of harvesting and communicating victim information, including from BIOS and browser, to a C2 address. Appendix “Figure 2” depicts Jupyter’s commonly observed four-stage infection chain, starting with the web-hosted malicious executable.
Indicators of Compromise5Jupyter frequently shifts infrastructure, so the below-listed IPs may not be active. Organizations are encouraged to leverage these IOCs for threat hunting.
AppData\Local\Temp\ .\Users\’username’\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Targeted File Types
Abused Native Applications
MITRE ATT&CK Patterns Observed6
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information
T1218.007 Signed Binary Proxy Execution: Msiexec
DiscoveryT1083 File and Directory Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
CollectionT1005 Data from Local System
Command and ControlT1071 Application Layer Protocol
T1041 Exfiltration Over C2 Channel
Analytic confidence in this assessment is moderate. Source reliability is moderate with several conflicts among sources, the CTI team attributes to Jupyter’s evolving tactics and infrastructure, as well as variation across security researcher methodology. The analyst used a Circleboard, Timeline, and Key Assumptions Check to perform this analysis.
For questions or comments, please contact us at [email protected].
- Malicious Domain Blocking and Reporting (MDBR):7a service available to SLTTs to help prevent systems from resolving malicious DNS requests. It provides an additional layer of protection by blocking known bad domains and is proven, effective, and easy to deploy.
- CIS Endpoint Security Services (ESS):8 a host-driven security solution available to SLTTs that is designed to help mitigate and prevent malicious files from executing on covered systems.
- Network Intrusion Detection (NID): 9 MS-ISAC’s NID, Albert Network Monitoring and Management, provides signature-based security alerts for both traditional and advanced network threats, helping organizations identify malicious Jupyter activity leveraging known TTPs and IOCs.
- Application Allowlists:10 recommended under CIS Critical Security Control 2 to help organizations actively manage (inventory, track, and correct) all software on the network so that only authorized software is allowed. Allowlist restrictions can prevent Jupyter from leveraging internal tools to drop additional payloads.