November 6, 2023 at 01:00PM
An updated version of the information stealer malware Jupyter has resurfaced with new tactics to establish a persistent presence on compromised systems. The malware leverages PowerShell command modifications and signatures of private keys to appear as a legitimately signed file. It utilizes manipulated search engine optimization and malvertising to trick users into downloading it. The malware can harvest credentials, establish encrypted command-and-control communication, and execute arbitrary commands. Other stealer malware families like Lumma and Mystic Stealer have also evolved, adding loader functionality for increased obfuscation and the ability to distribute additional malware. Malware loaders like PrivateLoader and Amadey have been observed infecting thousands of devices with a proxy botnet called Socks5Systemz to forward traffic for other actors.
Key takeaways from the meeting notes:
– An updated version of the Jupyter malware, known as Jupyter Infostealer, has emerged with modifications to establish persistence on compromised systems.
– Jupyter Infostealer uses manipulated SEO tactics and malvertising to trick users into downloading it from suspicious websites.
– The malware can harvest credentials, establish encrypted command-and-control communication, and execute arbitrary commands.
– The latest set of artifacts use various certificates to make the malware appear legitimate.
– Stealer malware, including Lumma Stealer and Mystic Stealer, are evolving with improved obfuscation and loader functionality for more sophisticated attacks.
– New malware, such as Akira Stealer and Millenium RAT, are designed for data theft and remote access.
– Malware loaders like PrivateLoader and Amadey have been observed infecting devices with the Socks5Systemz proxy botnet, possibly of Russian origin.
– The proxy service offered by the botnet is available through various subscription plans and has approximately 10,000 infected systems worldwide.