Security researchers from Morphisec they found one malware campaign using a relatively new one trojan and targets businesses and higher education institutions. Its purpose is to steal usernames, passwords access and other personal information. It also has the ability to create one permanent backdoor on compromised systems. The trojan is called Jupyter and was discovered in the network of a higher education institution in the USA. Researchers believe that malware used at least since May.
The attack is primarily aimed at data from Chromium, Firefox and Chrome browser, but also creates one backdoor in breached systems, allowing attackers to execute PowerShell scripts and commands, as well as download and run other malware.
The Jupyter installer is disguised as one file zip, and often uses its icons Microsoft Word or has a specific file name that creates the feeling that it needs to be opened urgently (important document).
If the installer runs, will install legitimate tools in an attempt to hide the real purpose of installation - download. Subsequently, runs malicious programs on temporary folders in the background.
When the complete installation is done in his system victim, the Jupyter trojan steals information it contains usernames, passwords, browsing history and cookies and sends them to a command and control server, apparently controlled by criminals. According to researchers, the creator of the Jupyter trojan constantly changes the code to collect more information, while trying to complicate the detection process.
At the moment, the purpose of the criminals behind the Jupyter trojan is not clear. Most likely, they use it to steal information and obtain it further access to networks of businesses and educational institutions. In addition, they could steal extremely sensitive and important data to sell them to other criminals (giving them access to victims' networks).
Morphisec researchers believe that the Jupyter trojan comes from Russia. Analyzes showed that the malware was connected to command and control servers located in Russia. Further analyzes showed relations with a Russian hacking forum.
Many of the command servers are currently inactive, but the admin panel is still active. This means that malware campaigns using Jupyter are likely to continue.