The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) have uncovered Jupyter, a highly evasive and adaptive .NET infostealer, targeting state, local, tribal, and territorial (SLTT) organizations.
To exploit SLTT entities, malicious actors have installed Jupyter widely, leveraging SEO-poisoning to design watering hole sites.
Jupyter, also known as SolarMarker installs a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and the user identifier.
According to MS-ISAC, Jupyter targeting SLTTs is a part of a broader opportunistic effort, since the malware is impacting a wide range of sectors, including finance, healthcare, and education. Following a surge in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.
The targeted organizations became aware of infections when their endpoint detection and response services (EDR) warned of unauthorized PowerShell commands attempting to establish links with command and control (C2) traffic.
The researchers at MS-ISAC continue to investigate why malware authors are exfiltrating victims' private details. Additionally, researchers have noticed that Jupyter operators are altering their techniques, tactics, and procedures (TTPs), causing variation in intrusion details across infections.
Despite the irregularity in Jupyter TTPs, multiple features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress sites up search engine rankings, using a technique known as SEO-poisoning, thereby increasing the likelihood that an unsuspecting user will visit the page.
Upon examining an SLTT Jupyter incident, researchers noticed that the initial infection occurred after an end-user attempted to install a malicious file embedded with an executable of a compromised website form.
