Threat Management, Malware, Phishing

New Separ credential-stealing campaign abuses legit tools and executables

A new phishing campaign distributing the credential-stealing malware Separ has over the last few weeks reportedly affected hundreds of business organizations, primarily those located in Southeast Asia and the Middle East.

The malware has been uploading stolen data from infected entities on a daily basis, with additional targets based in North America, according to a Feb. 19 corporate blog post authored by Guy Propper, a researcher with Deep Instinct.

Victims of the scam receive phishing emails featuring attachments in the form of fake PDF documents, which are actually self-extracting archives containing a series of files and collectively work to launch the Separ payload. These include a VBScript, two batch scripts and four executable files, some with names that appear to imitate Adobe.

Typically, the emails allude to pricing quotes, shipments and equipment specs in order to trick business recipients into opening these attachments. If they do, the self-extracting archive runs the VBScript, which in turn calls the first batch script, which sets up directories and copies certain files to them before producing the second batch script.

Among other malicious actions, the second batch script launches legitimate email and browser password-dumping tools from SecurityXploded in order to steal user credentials for exfiltration. Next, Separ abuses the legit FTP client ancp.exe to upload stolen files to the also legit hosting service

The malware also abuses the legitimate executables  xcopy.exe, attrib.exe and sleep.exe for its own nefarious purposes. "The [malicious] use of scripts and legitimate binaries, in a 'Living off the Land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack," Propper explains.

"We were able to access the FTP server several times, and the growth in the number of victims was clearly visible, meaning the attack is ongoing and successfully infecting many victims," Propper continues, noting that stolen data has included "ipconfig results in addition to email and browser passwords."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.