An updated version of the Jupyter Infostealer malware, also known as Polazert, SolarMarker, and Yellow Cockatoo, has re-emerged with stealthier tactics designed to establish a persistent presence on compromised systems.
Researchers from VMware Carbon Black identified new waves of Jupyter Infostealer attacks that leverage PowerShell command alterations and private key signatures to make the malware appear as a legitimately signed file. This malware is known for using manipulated search engine optimization and malvertising to trick users into downloading it from dubious websites. It possesses the ability to harvest credentials, establish encrypted command-and-control (C2) communication, and execute arbitrary commands.
The latest version of Jupyter Infostealer utilizes various certificates to sign the malware, giving it an appearance of legitimacy. However, fake installers activate the infection chain upon launch. This development is part of the evolving landscape of stealers and remote access trojans, making entry into cybercrime more accessible for less-skilled actors. For instance, the Lumma Stealer has been updated to incorporate a loader and the ability to randomly generate builds for better obfuscation, potentially enabling more advanced attacks, including ransomware.
Another malware family, Mystic Stealer, has also introduced a loader functionality in recent versions to complement its information-stealing capabilities. The constant evolution and expansion of data theft capabilities within such malware demonstrate cybercriminals’ adaptability. Moreover, the emergence of stealers and remote access trojans like Akira Stealer and Millenium RAT further complicates the threat landscape. These tools come equipped with various features that facilitate data theft, making it increasingly challenging for cybersecurity professionals to combat these threats.
This report coincides with the observation of malware loaders like PrivateLoader and Amadey infecting thousands of devices with a proxy botnet called Socks5Systemz, which has been operational since 2016.
Security firm Bitsight revealed that there are at least 53 servers related to this botnet distributed across multiple countries, including France, Bulgaria, Netherlands, and Sweden. The primary objective of this campaign is to transform infected machines into proxies capable of forwarding traffic for various actors, potentially adding another layer of anonymity. This emerging cyber threat landscape underscores the need for robust cybersecurity measures to safeguard against increasingly sophisticated attacks.
