Separ malware phishing campaign targets businesses

Researchers at Deep Instinct have released a report on a phishing campaign that is proving to be incredibly successful. The phishing campaign is targeting the credentials of businesses via a new variant of the Separ malware. Separ has been in use since at least the year 2017, and additionally, the malware is based on credential stealing malware that dates back as far as 2013.

The report describes Separ and its attack tactics as follows:

The credential stealer Separ is unique, as it uses a combination of very short script or batch files, and legitimate executables, to carry out all of its malicious business logic. Therefore, Separ is an excellent example of the advanced and evasive attack technique commonly termed as “Living Off the Land.” In addition, Separ masquerades as a fake Adobe related program, using a fake PDF document as the initial infection vector, and malicious scripts and executable files named to resemble Adobe related programs.

This particular chain of phishing email attacks is focusing in particular on “hundreds of companies” found in Southeast Asia and the Middle East (though there are some companies being targeted in North America). The phishing emails goad users into downloading the PDF which launches a self-extractor. This self-extractor then calls wscript.exe to run the Visual Basic script called adobel.vbs.

Following the collection of credentials, they are uploaded via the FTP client ancp.exe to freehostia.com (which according to Deep Instinct is a legitimate and noncriminal hosting service). Something to note here is that researchers were able to uncover that “no attempt has been made by the attacker to evade analysis.” One reason for this is that, according to Deep Instinct, “the use of scripts and legitimate binaries, in a ‘Living off the Land’ scenario, means the Separ attacker successfully evades detection.”

Additionally, it does not seem to matter to the threat actor in this scenario if people know their identity (a brash display of arrogance). Arrogance can be their downfall when the authorities catch up. Nobody in this day and age is untouchable as cybersecurity experts are getting better and better at anticipating criminal activity.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter
Tags phishing

Recent Posts

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

2 hours ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

20 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

23 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

1 day ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago