An ongoing phishing campaign is using a new variant of Separ malware to infect hundreds of businesses located mainly in Southeast Asia, the Middle East, and North America. The attack started at the end of January and has affected around 200 companies and over 1,000 individuals.
According to Guy Propper from security firm Deep Instinct, the credential stealer Separ malware is unique as it uses a combination of very short scripts or batch files and legitimate executable to evade detection. Thus, Separ is one of the excellent examples among the malware that uses the advanced and evasive technique commonly termed as ‘Living Off the Land’.
About the campaign
The attack starts with a phishing email that contains a malicious attachment. In this case, the malicious attachment is a decoy PDF document that purports to be a self-extracting executable. This fake document relates to bogus quotations, shipments and equipment specifications.
Once the victim clicks on the attached PDF document, the self-extractor calls wscript.exe to run a Visual Basic Script (VB Script) called adobel.vbs. When the VB Script starts running, it executes an array of short batch scripts which have various malicious functions.
The scripts are disguised as fake Adobe-related programs to avoid detection by anti-virus.
“The self-extractor contains within itself all files used in the attack – a VB Script, two batch scripts and four executable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe, ancp.exe and Areada.exe,” researchers said. “Many of the files are named to resemble files related to Adobe,” said Propper in a blog post.
In order to steal credentials, the new version of Separ malware uses a range of password-dumping tools provided by SecurityXploded. The malware also uses a File Transfer Protocol (FTP) client to upload its stolen data to a legitimate service called freehostia[.]com.
“Both the executable and the service are legitimate – ancp.exe’s source is NcFTP, a legitimate FTP software provider, while FreeHostia is a well-known and widely-used hosting service. The upload is performed using hard-coded user names and passwords. Using these credentials, we were able to access the FTP, and view data organized into several clients,” Propper added further.
Given the simple attack mechanism used by Separ malware, experts believe that there will be a growth in the number of attacks, performed by the malware, in the future.