Jupyter trojan, the ransomware that targets businesses and higher education to steal usernames, passwords as well as other private information is active again. Recently, it has been observed targeting a higher education establishment in the U.S.A

What happened?

The trojan has been active since May and targets well known web browsers that includes Chromium, Firefox and Chrome browser information.

This trojan creates a persistent backdoor in compromised systems.

The trojan installer is hidden in a zipped file. It uses Microsoft Word icons and file names, pretending to be important documents, travel details, or pay rise.

If the installer is executed, it will install genuine tools to hide the real goal of the installation, which is running a malicious installer in temporary folders in the background.

After getting installed on the system, it steals passwords, usernames, cookies, auto completes as well as browsing history. It then sends the stolen data to a command and control server.

Additional insights

The trojan originates from Russia and is linked to C2 servers located in the same region.

In addition, reverse image searching of the planet Jupiter in the info stealers admin panel exposed origins from a Russian-language forum.

The motive of the cybercriminals behind this trojan could be stealing highly sensitive data or selling login credentials to other cybercriminals.

Conclusion

The campaign is ongoing, therefore, organizations need to be aware and prepared to face such threats. Experts suggest using a reliable anti-malware solution, encrypting important information, blocking spam emails using email gateways, and providing training to employees to spot malicious emails