Deep Instinct has announced that it has identified a new phishing campaign is spreading Separ malware.
Researchers at Deep Instinct identified the last campaign in January 2019. The threat actors behind this version of the Separ information stealing malware have been active September 2017, with earlier versions of dating back to 2013. Since then, hackers have attacked more than 200 businesses and over 1,000 individuals.
Deep Instinct is a cybersecurity company that applies AI methods such as deep learning to cybersecurity. Deep Instinct’s researchers stated that hackers are targeting businesses in South East Asia and the Middle East in the latest campaign. However, some businesses in North America have also reported being attacked.
The hackers have designed a simple but effective attack strategy for the phishing campaign and associated malware infection. The attack starts with a phishing email containing a fake PDF file which is a self-extracting executable. The emails claim to contain quotes, shipment notices, or equipment specifications, the details of which can be found by opening the PDF file.
When the user opens the attachment the self-extractor calls wscript.exe which runs a Visual Basic Script (adobel.vbs) contained in the self-extractor, the VB script runs two small-batch scripts. The first (adob01.bat) sets up directories and copies files using xcopy.exe and attrib.exe and then launches a second batch script (adob02.bat) which performs various malicious functions. An empty decoy jpeg file is opened which hides command windows from the user.
The malware changes the firewall settings, and email credentials and credentials stored in browsers are stolen using SecurityXploded password dumping tools. The credentials are exported using an FTP client to freehostia.com. The FTP client and the service are both legitimate, and the data theft may, therefore, go undetected.
Deep Instinct refers to the techniques as a Living off the Land attack, as it uses legitimate files and services to carry out its malicious functions.
Businesses can protect against this attack by restricting the use of scripting tools. Employees should receive security awareness training, such as how to spot suspicious emails. Employees should be warned not to open emails or download attachments from unknown senders. If they do make an error, employees should be encouraged to notify the IT department of their mistake so that the proper procedures can be followed to rectify the error.