Delaware, USA – February 22, 2019 – Researchers at Deep Instinct discovered an active campaign infecting employees of organizations in the Middle East, Asia, and North America with Separ infostealer. The malware came on the radars of researchers about 14 months ago and did not attract much attention because of its simplicity, but this does not prevent adversaries from using it extremely effectively to collect and exfiltrate user credentials. Attackers send phishing emails with a malicious file disguised as a PDF file, which, when executed, runs the VBS script, which in turn runs several batch scripts and executables. The files and scripts are named in such a way that they resemble the Adobe-related processes. Separ changes the settings of the firewall and then leverages free credential-dumping tool developed by SecurityXploded to steal credentials. After data collection, the malware uses legitimate software to upload files via FTP to a popular hosting service.
Researchers warn that the campaign is still ongoing. They managed to gain access to the hosting service used in the campaign, where adversaries stored over 1,000 compromised employee credentials from 200+ organizations. The collected data can be used for Business Email Compromise attacks, which cause the most significant financial loss to organizations. Adversaries continue to compromise new victims every day, and it is recommended to limit the use of scripts in your organization to protect against this attack. You can also use the Sysmon Framework rule pack to detect similar and more sophisticated attacks in the early stages: https://my.socprime.com/en/integrations/sysmon-framework-arcsight