Anew threat to organizations has emerged. This dangerous Trojan steals passwords and user credentials from compromised systems and is highly difficult to detect. It has been dubbed Jupyter, and although it was detected by cybersecurity analysts in November, some suspect that it has been active at least since May.

Experts warn that the complexity of this sophisticated Trojan may be why it has gone undetected by traditional cybersecurity solutions. The ability of Jupyter to camouflage itself lies in the fact that each version of the malware adds an unknown element that enables it to slip past antivirus programs.

Infostealer Trojans_

These attacks, as is typical with Trojans, start with an email attachment. Jupyter is disguised with Word or Excel icons in an attachment to an email with a subject field related to the intended victim of the attack. Although the precise scope and impact of this Trojan is unknown, we do know that, at present at least, it appears to target governmental and educational institutions, and was in fact discovered when analysts were helping a customer in the education sector.

The process begins when unsuspecting users click the attachment believing it to be work-related. These compressed ZIP attachments contain an executable (.EXE) which triggers the rest of the process. When it opens, a .NET C2 client is installed on the device memory (the Jupyter loader) which in turn downloads a PowerShell script that executes the .NET module on the device.

Two functions are then installed in memory to steal the information from the device (which is why it is considered an Infostealer Trojan). One of the functions compiles data about the system, while the other captures passwords, credentials, cookies, and digital certificates from the Firefox and Chrome browsers. The real threat of Jupyter is that the potential damage to an organization targeted by the malware is huge, given its ability to access user login details and, above all, the fact that it has been operating undetected for months.

As mentioned above, the first traces of Jupyter were detected last May and the bulk of these in a country that is no stranger to such cases: Russia. Although analysts have indicated that there is no firm evidence to confirm the origin of the Trojan, in addition to these early traces, investigators have also noted spelling and grammatical errors in English texts which are commonly associated with hackers from Russia.

Advanced solutions and protection of credentials_

To protect against this threat, organizations first and foremost should have advanced cybersecurity solutions that are capable of detecting such sophisticated malware. Cytomic EPDR is able to do this, thanks to the Zero-Trust Application service, which denies access to any binary file until classified as trusted along with many other endpoint prevention and protection capabilities.

In addition, and knowing that Jupyter affects the browsers mentioned above, another key security recommendation is to implement a robust password policy among staff.  It is advisable not to store login credentials (username and password) on browsers. In addition to Cytomic solutions on systems, it is advisable to have a password manager that encrypts and stores passwords in an application separate from the browser.

Finally, added to specific security solutions, the other key layer of security for any organization is the promotion of good practices among employees. Be suspicious and apply common sense and, as a general rule, don’t open email or messaging attachments until you are absolutely sure they are safe and from a trusted source. In this way, Trojans such as Jupyter will have far less chance of success.