Researchers at Deep Instinct have released a report on a phishing campaign that is proving to be incredibly successful. The phishing campaign is targeting the credentials of businesses via a new variant of the Separ malware. Separ has been in use since at least the year 2017, and additionally, the malware is based on credential stealing malware that dates back as far as 2013.
The report describes Separ and its attack tactics as follows:
The credential stealer Separ is unique, as it uses a combination of very short script or batch files, and legitimate executables, to carry out all of its malicious business logic. Therefore, Separ is an excellent example of the advanced and evasive attack technique commonly termed as “Living Off the Land.” In addition, Separ masquerades as a fake Adobe related program, using a fake PDF document as the initial infection vector, and malicious scripts and executable files named to resemble Adobe related programs.
This particular chain of phishing email attacks is focusing in particular on “hundreds of companies” found in Southeast Asia and the Middle East (though there are some companies being targeted in North America). The phishing emails goad users into downloading the PDF which launches a self-extractor. This self-extractor then calls wscript.exe to run the Visual Basic script called adobel.vbs.
Following the collection of credentials, they are uploaded via the FTP client ancp.exe to freehostia.com (which according to Deep Instinct is a legitimate and noncriminal hosting service). Something to note here is that researchers were able to uncover that “no attempt has been made by the attacker to evade analysis.” One reason for this is that, according to Deep Instinct, “the use of scripts and legitimate binaries, in a ‘Living off the Land’ scenario, means the Separ attacker successfully evades detection.”
Additionally, it does not seem to matter to the threat actor in this scenario if people know their identity (a brash display of arrogance). Arrogance can be their downfall when the authorities catch up. Nobody in this day and age is untouchable as cybersecurity experts are getting better and better at anticipating criminal activity.
Featured image: Wikimedia