Jupyter Stealer is an evolving info stealer that is commonly spread using backdoored installations. We have recently encountered a new and improved version of this malware, which allows its operator to upload and execute new payloads to infected devices.

The sample we analyzed came bundled with YTD Video Downloader & Video Converter, which is a popular software for downloading music and videos from the web. This installation orchestrates the whole infection process by dropping an encrypted PowerShell script that will be decrypted and executed by a hidden PowerShell process. Once decrypted, the script is responsible for setting up persistence, using the algorithm described here.

Our variant connects to its C&C server and sends back the computer information (in an encrypted form). It does not include the credentials stealing functionality hardcoded anymore, instead, it gets all functional modules from the C&C server. One of the malware’s capabilities, is to upload and execute .exe and .ps1 files to the victim’s machine. This leaves an attacker with the ability not only to execute different types of attacks, but also to steal any information from the victim’s computer.

Minerva Labs prevents Jupyter malware with our Living-off-the-Land Prevention technology, which interferes with attempts to misuse tools built into the system with the intention of causing damage. This module prevents threats from “trampolining” off such tools to infect the endpoint or cause damage.