New Jupyter malware steals browser data first, then opens backdoor and steals even more

Jupyter malware is the newest threat in the wild. It is a trojan info stealer which also possesses full backdoor functionality. According to researchers at Morphisec, the malware campaign started off in May 2020. Since then, they tracked down a few different variants of Jupyter. The campaign goes on…. so beware.

Newly discovered Jupyter malware stealthily steals usernames and passwords

Jupyter is an info stealer that targets Chromium, Firefox, and Chrome browsers. The trojan malware is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

As we said, the attack primarily targets popular browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware. Cybercriminals could use it to gain additional access to networks for further attacks – and potentially stealing highly sensitive data – or they could sell login credentials and backdoor access to systems to other criminals who access.

The Jupyter installer is disguised in a zipped file, often using Microsoft Word icons and file names that look like they need to be urgently opened. So – the old trick. If the installer is run, it will install legitimate tools in an effort to hide the real purpose of the installation. Once fully installed Jupyter steals information including usernames, passwords, autocompletes, browsing history and cookies, and sends them to a command and control server. Analysis of the malware showed that whoever created it constantly changes the code to collect more information while also making it harder for victims to detect.

Jupiter, not Jupyter…  The reverse image searching of the planet Jupiter in the info stealer’s admin panel revealed the original to come from a Russian-language forum. This image is also spelled Jupyter, likely a Russian to English misspelling of the planet’s name. 


Egregor ransomware tries to get your attention by shooting ransom notes from all available printers

Many businesses would rather hide a ransomware attack than make it public – including to employees. This won’t work in this case. Egregor operators try to pressure a victim into paying the ransom by repeatedly printing ransom notes from all available network and local printers after an attack.

The threat

Egregor is part of the Sekhmet malware family that has been active since mid-September 2020. The ransomware shares functionalities of other threat actors like Clop Ransomware. It possesses multiple anti-analysis techniques such as code obfuscation and packed payloads. The payload also employs anti-debugging and evasion techniques by using windows APIs to make the research and detection of the malware difficult. The payload data can only be decrypted with the correct command line argument, signifying that the file cannot be analyzed manually or using a sandbox without the exact command line parameter.

Back to the main topic – printers shooting ransomware notes everywhere. After the successful attack on retail giant Cencosud, we could see it in action…

The message is the same ransom note created on computers being printed to a receipt printer.

It looks like that it is not the ransomware executable performing the printing of ransom notes. Instead, it is believed that the ransomware attackers utilize a script at the end of an attack to print out ransom notes to all available printers. This script has not been found as of yet.

Source: 1 | 2

VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves

A group of six researchers from the University of Birmingham has devised a new attack technique, dubbed VoltPillager, that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves by controlling the CPU core voltage.

The attack leverages a low-cost tool that is used to inject Serial Voltage Identification (SVID) packets on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard (that can be built for $30). 

The injected packets allowed the researchers to fully control the CPU core voltage and perform fault-injection attacks.

The researchers discovered that on a standard motherboard there is a separate Voltage Regulator (VR) chip that generates and controls the CPU voltage. The experts devised VoltPillager tool to connect to the interface of the VR chip, which is not protected, and control that voltage.

The experts were able to mount fault-injection attacks that breach confidentiality and integrity of Intel SGX enclaves, and present proof-of-concept key-recovery attacks against cryptographic algorithms running inside SGX.

Experts pointed out that the patches for the CVE-2019-11157 vulnerability (Plundervolt) don’t protect against VoltPillager because they simply disable the software undervolting interface, but the hardware interface remains active.


Watch out – a new strain of card-skimming Grelos malware is on the loose

A new offshoot of the Grelos card-skimming malware – a common Magecart variant – is doing the rounds, according to infosec biz RiskIQ. 

This strain contains “a rehash” of the original code first seen in 2015-16, consisting of a loader and a skimmer, “both of which are base64 encoded five times over.” 

Spotted in the wild as part of the compromise of US-based Boom! Mobile earlier this year, the latest Grelos strain was linked to Fullz House, a hacking crew that combined the skills of two separate criminal gangs who respectively specialised in phishing and card skimming. 

Linked to Magecart in 2018, the Grelos malware operates in a similar manner: at heart it’s a card skimmer used for stealing customers’ credit card details from online retail websites.

Different skimmer strains linked to Grelos have been “using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation,” wrote RiskIQ’s Herman, who added that the Grelos strain appears to be linked to the oldest known Magecart operators, identified as Groups 1 and 2.

Magecart is a recurring problem for e-commerce businesses and typically occur because companies are careless about where they embed Javascript on their websites as shown us British Airways and Ticketmaster.

The malware is operated by various groups, at least 12.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Unprotected database exposed a scam targeting 100K+ Facebook accounts (Security Affairs
2. More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug (ZDNet)
3. Cisco fixed flaws in WebEx that allow ghost participants in meetings (Security Affairs)
4. Researchers Find Tens of AWS APIs Leaking Sensitive Data (Security Week)
5. Trump Fires CISA Director Chris Krebs (Dark Reading)
6. The worst passwords of 2020 show we are just as lazy about security as ever (ZDNet)
7. Starting next year, Chrome extensions will show what data they collect from users (ZDNet)
8. Phishing campaign targets LATAM e-commerce users with Chaes Malware (Security Affairs)
9. Capcom confirms Ragnar Locker ransomware attack, data exposure (ZDNet)
10. Facebook Messenger Bug Lets Hackers Listen to You Before You Pick Up the Call (The Hacker News)