What is Malware as a Service (MaaS)?
Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.
This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.
The Growing MaaS Marketplace
The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.
Examples of Malware as a Service
- Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
- Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
- Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
- Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.
How does information stealer malware work?
Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.
After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.
What is Jupyter information stealer and how does it work?
The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.
The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:
- C2 infrastructure
- Ability to download and execute malware
- Execution of PowerShell scripts and commands
- Injecting shellcode into legitimate windows applications
Darktrace Coverage of Jupyter information stealer
In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:
- HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
- HTTP POST requests specifically to the root directory of a rare external endpoint.
- Data streams being sent to unusual external endpoints
- Anomalous PowerShell execution was observed on numerous affected networks.
Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].
![Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/669973708ae3bd007b761051_Screenshot%202024-07-18%20at%2012.55.55%20PM.avif)
This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.
Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.
![PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/669973c9c7e48724389cdff4_Screenshot%202024-07-18%20at%2012.57.50%20PM.avif)
In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].
Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.
In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].
Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.
In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.
Conclusion
The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.
Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.
Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)
References
1. https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware
2. https://flashpoint.io/blog/evolution-stealer-malware/
3. https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
4. https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf
5. https://www.virustotal.com/gui/ip-address/146.70.71.135
6. https://www.virustotal.com/gui/ip-address/67.43.235.218/community
7. https://www.virustotal.com/gui/ip-address/2.58.14.246/community
8. https://www.virustotal.com/gui/ip-address/91.206.178.109/community
9. https://www.virustotal.com/gui/ip-address/78.135.73.176/community
Appendices
Darktrace Model Detections
- Anomalous Connection / Posting HTTP to IP Without Hostname
- Compromise / HTTP Beaconing to Rare Destination
- Unusual Activity / Unusual External Data to New Endpoints
- Compromise / Slow Beaconing Activity To External Rare
- Compromise / Large Number of Suspicious Successful Connections
- Anomalous Connection / Multiple Failed Connections to Rare Endpoint
- Compromise / Excessive Posts to Root
- Compromise / Sustained SSL or HTTP Increase
- Security Integration / High Severity Integration Detection
- Security Integration / Low Severity Integration Detection
- Anomalous Connection / Multiple Connections to New External TCP Port
- Unusual Activity / Unusual External Data Transfer
AI Analyst Incidents:
- Unusual Repeated Connections
- Possible HTTP Command and Control to Multiple Endpoints
- Possible HTTP Command and Control
List of IoCs
Indicators – Type – Description
146.70.71[.]135
IP Address
Jupyter info-stealer C2 Endpoint
91.206.178[.]109
IP Address
Jupyter info-stealer C2 Endpoint
146.70.92[.]153
IP Address
Jupyter info-stealer C2 Endpoint
2.58.14[.]246
IP Address
Jupyter info-stealer C2 Endpoint
78.135.73[.]176
IP Address
Jupyter info-stealer C2 Endpoint
217.138.215[.]105
IP Address
Jupyter info-stealer C2 Endpoint
185.243.115[.]88
IP Address
Jupyter info-stealer C2 Endpoint
146.70.80[.]66
IP Address
Jupyter info-stealer C2 Endpoint
23.29.115[.]186
IP Address
Jupyter info-stealer C2 Endpoint
67.43.235[.]218
IP Address
Jupyter info-stealer C2 Endpoint
217.138.215[.]85
IP Address
Jupyter info-stealer C2 Endpoint
193.29.104[.]25
IP Address
Jupyter info-stealer C2 Endpoint
