Jupyter Trojan Steals Passwords from Chrome and Firefox — What to Do

Jupyter Trojan Steals Passwords from Chrome and Firefox — What to Do

A Windows Trojan steals stored passwords, session cookies, hardware and software information, and other valuable items from Google Chrome, Mozilla Firefox, and Windows itself.

The malware, named Jupyter by its discoverers at Israeli security firm Morphisec, has been active since at least May 2020 but had escaped detection by most antivirus software until last week.

One reason for this is that, unlike most malware, Jupyter runs almost exclusively in memory and leaves few traces on the system's hard drive. Unfortunately, rebooting the machine does not get rid of this malware. This is because the malware adds a setup routine to the startup folder to reinstall itself when the machine boots.

Unlike many information thieves, Jupyter also has the ability to download and run additional software, creating a backdoor through which its operator (believed to be a Russian cybercriminal) can remotely control a Windows machine. (The name comes from the image of a planet with a misspelled filename used as the background of the malware's administration panel.)

"Morphisec has been monitoring a steady stream of forensic data to track multiple versions of Jupyter since May 2020," said Morphisec's blog post and Morphisec's full report." Many of the C2s (malware command-and-control servers) are no longer active, but were consistently mapped to Russia when we were able to identify them."

This article was first reported by Danny Palmer of ZDNet.

Jupyter arrives in the form of email attachments disguised as Microsoft Word or Excel documents about routine workplace and academic matters; Morphisec discovered the malware while "assisting a US higher education customer (presumably a university) with incident response. Morphisec discovered the malware while "assisting a U.S. higher education client [presumably a university] with an incident.

However, the attachment is actually its own program, which opens a Windows PowerShell script and triggers a complex series of events that result in at least two different information-stealing functions being installed in system memory.

One function gathers information about the infected machine, while the other steals passwords, login session cookies, autocomplete items, and digital certificates from Chrome or Firefox.

Session cookies are those that keep you logged in to online services, such as Facebook or Twitter, semi-permanently until you log out. Many such cookies are valid for months or even a year, and if you are still logged in using the same cookie, anyone who steals it will have access to your account.

The scammer must make it look like they are accessing the service from your machine, and they can do so by using a machine profile that the first information-stealing function has already grabbed.

As of this writing, most of the best anti-virus programs detect at least one of the dozen or so Jupyter components unearthed by Morphisec.

You can also prevent Jupyter from stealing by not allowing your browser to save passwords (use one of the best password managers instead) and logging out of your online account after a day of use. Of course, before opening email attachments, they should be scanned with an antivirus program.

However, since much of the malware's core functionality relies on the use of administrator-level Windows tools, another way to avoid infection is to perform most of your daily Windows tasks with a limited user account that does not have administrative privileges.

If you are logged in as a limited user and are opening a Word document or Excel file when a window pops up requesting a password for the administrator account, you will know something is fishy. Reject the request for the administrator password and immediately begin a system-wide malware scan.

Categories