Cyberattackers have been leveraging MSI installers to deliver the Jupyter .NET infostealer, The Hacker News reports.
Morphisec researchers noted that the new delivery chain uses the Nitro Pro PDF application, commencing with the distribution of a more than 100 MB MSI installer payload, which uses the Advanced Installer app for obfuscation and enables threat actors to evade anti-malware engines.
Targets running the MSI payload will then prompt Nitro Pro 13-embedded PowerShell loader execution. Researchers then discovered that two variants were signed with a certificate from a Poland-based business, indicating that the certificate may have been spoofed or stolen. The Jupyter .NET module will then be decoded and run by the loader, according to researchers.
"The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating. That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions," said Morphisec researcher Nadav Lorber.