Search This Blog

Showing posts with label Backdoor. Show all posts

Jupyter Trojan Steals Chrome Firefox Data and Opens Backdoor

Researchers at Morphisec has recently discovered a trojan malware campaign targeted at stealing information from businesses and higher education. Reportedly, the malware named Jupyter has been used by Russian speaking hackers to gather data from various software. 

Primarily targeting Google Chrome, Mozilla Firefox, and Chromium code in itself, Jupyter's attack chain, delivery, and loader demonstrate additional capabilities such as a C2 client, execution of PowerShell scripts and commands, hollowing shellcode into legitimate windows configuration applications, for full backdoor functionality. 

The infostealer's attack begins with a zip file containing an installer which typically impersonates legitimate software like Docx2Rtf. When the installer is executed, a .NET C2 client is inserted into memory. Jupyter loader has a well-defined protocol, persistence modules, and versioning matrix, it furthers with downloading the next stage, a PowerShell command to execute the Jupyter injected in memory earlier. Now using the commonalities between both the .Net components an end-to-end framework is developed for the implementation of the Jupyter infostealer as both have similar code, obfuscation, and unique UID implementation. 
 
As per the analysis published by Morphisec, "Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” 
 
"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them," read the report. 

Over the last 6 months, these installers have given exceptional results at bypassing security scanning controls, some among these installers even maintained 0 detections in VirusTotal.

Multiple versions of Jupyter were traced back to Russia and the planet name was noticeably misspelled from Russian to English, as per the Morphisec researchers who also found out the same image on Russian-language forums upon running a reverse Google Image search of the C2 admin panel image, concluding that the attack has Russian origins. 
 
"This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers," said researchers. 

"This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection." The researchers further added.

Experts Discover Backdoor Malware in Chinese Tax Softwares named "GoldenHelper"


Trustwave has found a new malware (backdoor) named GoldenHelper. The malware is encoded in Golden Tax Invoice Software. It's under the Golden Tax Project of China's government, and its function is issue invoice and adds VAT (Value Added Tax). In June, experts had also discovered another malware named GoldenSpy. The backdoor malware was embedded within tax softwares that the Chinese companies had to install, to work in the financial sector. The backdoor malware GoldenHelper is entirely distinct from GoldenSpy.


However, both the malware function in a similar way. The backdoor malware gains entry into the international company's network operating in China to steal information. The GoldenHelper campaign distribution was active between January 2018 to July 2019 (the operations ceased to exist after January 2020). It should be noted that the GoldenSpy campaign also became active in April 2020.

The malware uses intelligent techniques to cover its usage activity when it's in function. Popular methods include using arbitrary files pattern, systems locations, and names while in transition. "The Golden Tax Project is a national program in China, impacting every business operating in China. We are currently aware of only two organizations authorized to produce Golden Tax software, Aisino, and Baiwang. This is now the second Golden Tax software package that Trustwave SpiderLabs has found to contain a hidden backdoor capable of remotely executing arbitrary code with SYSTEM level privileges," says Trustwave in its report. 

About GoldenHelper's Activity 

  • It doesn't ask user permission to gain access (UAC Bypass) 
  • Obfuscation- Randomization of file names 
  • Timestomping- Randomization while generating timestamps of "creation" and "last write." 
  • Arbitrarily downloads executable using fake file names. 

"During our investigation, we have been informed that the Golden Tax software may be deployed in your environment as a stand-alone system provided by the bank. Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a trojan horse," says Trustwave in a report published on its website.