Jupyter Trojan steals passwords from Chrome and Firefox — what to do

A photo composite of the planet Jupiter surrounded by an illuminated halo and a backround of stars and gas clouds.
(Image credit: NASA Images/Shutterstock)

A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. 

The malware — dubbed Jupyter by its finders at Israeli security firm Morphisec — has been active since at least May 2020, but it escaped detection by most antivirus software until last week.

That's partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a system's hard drive. Unfortunately, rebooting the machine doesn't get rid of the malware because it adds its setup routine to the Startup folder to reinstall itself when the machine boots.

Unlike many information stealers, Jupyter also has the ability to download and run additional software and creates a backdoor by which its operators — thought to be Russian cybercriminals — can remotely seize control of a Windows machine. (The name comes from an image of the planet, with the file name misspelled, used as the background of the malware's administrative panel.)

"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020," state a Morphisec blog post and the full Morphisec report. "While many of the C2s [malware command-and-control servers] are no longer active, they consistently mapped to Russia when we were able to identify them."

This story was first reported by Danny Palmer at ZDNet.

How Jupyter infects your machine

Jupyter arrives in the form of an email attachment purporting to be a Microsoft Word or Excel document regarding routine workplace or academic matters. Morphisec discovered the malware while "assisting a higher-education customer [likely a college or university] in the U.S. with their incident response."

But the attachment is really a program of its own which opens a Windows PowerShell script that triggers a complex series of events that ends up installing at least two different information-stealing functions in system memory. 

One function collects information about the infected machine; the other steals passwords, login session cookies, autocomplete items and digital certificates from Chrome or Firefox. 

Session cookies are what keep you logged into an online service, such as Facebook or Twitter, semi-permanently until you actively log out. Many such cookies are valid for months or even year, and would give anyone who stole them access to your account if you were still logged in using the same cookie.

The crooks would have to make it seem like they were accessing the service from your machine, but they could do so by using the machine profile the first information-stealing function already grabbed.

How to avoid Jupyter infection

As of this writing, most of the best antivirus programs detect at least one of the dozen or so Jupyter components unearthed by Morphisec. 

You can also give Jupyter little to steal if you don't let your browser save your passwords — use one of the best password managers instead — and by logging out of online accounts when you've finished using them for the day. And, of course, you should scan email attachments with your antivirus program before opening them.

But since many of the malware's core functions depend on using administrative-level Windows tools, another way to avoid infection would be to conduct most of your daily Windows work in a limited-user account that doesn't have administration rights. 

If you're logged in as a limited user and a windows pops up requesting an administrative account's password when you're just opening a Word document or an Excel file, then you'll know something is fishy. Deny the request for the admin password and start a full-system malware scan immediately.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.