A New Wave of the Separ Info-Stealer is Infecting Organizations through “Living off the Land” Attack Methods
February 19, 2019 | Guy Propper
Recently we came across renewed activity of the infamous credential stealer Separ, which our product prevented in customers’ environments. Previous attacks based on earlier variants of Separ date back to November 2017, with related info-stealers being active in the wild as far back as 2013.
The credential stealer Separ is unique, as it uses a combination of very short script or batch files, and legitimate executables, to carry out all of its malicious business logic. Therefore, Separ is an excellent example of the advanced and evasive attack technique commonly termed as “Living Off the Land”. In addition, Separ masquerades as a fake Adobe related program, using a fake PDF document as the initial infection vector, and malicious scripts and executable files named to resemble Adobe related programs.
“Living off the Land” attacks are based on legitimate files which are either common within the organization attacked, or are widely-used administrative tools, and can be abused to perform malicious functions. These tools are sometimes referred to as “Dual-Use” tools. Although “Living off the Land” is considered a type of file-less attack, this is an inaccurate definition, as the attack does involve executable files. In many cases these files are already found on disk in the victim’s machine (hence the term “Living off the Land”). In other cases, they are written to disk, but as mentioned before they are not malicious per-se and therefore go unnoticed. This technique, and the reason it is classified as a file-less attack, are described in detail in Deep Instinct’s whitepaper on file-less attacks, published in March 2018.
The attack is ongoing
Access to the hosting service used by Separ in this recent attack shows that its activity continues, and data stolen from many additional victims is being uploaded daily. The attack has affected hundreds of companies, located mainly in South East Asia and the Middle East, with some targets located in North America. Based on the names of the fake documents which initiate the attack, it appears the attacker is targeting business organizations, as most fake documents appear to be concerned with quotations, shipments, and equipment specifications.
Although this specific attack wave is new, and has only surfaced within the past few weeks, our research shows that variants of Separ have been around for several years, with older variants sharing some of techniques and mechanisms outlined ahead.
Infection chain and malicious logic
According to previous waves of Separ seen in the wild, the attack begins with a phishing email containing a malicious attachment. In this particular instance, the attachment was a decoy PDF document, which was in fact a self-extracting archive. However, the decoy is very basic as the extension of this “document” is .exe. The self-extractor contains within itself all files used in the attack - a VB Script, two batch scripts, and four executable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe, ancp.exe, and Areada.exe. Many of the files are named to resemble files related to Adobe. The role of each file will be outlined in detail.
Overall, the attack flow is as follows:
Once the user clicks on the “PDF document” attached to the phishing email, the self-extractor calls wscript.exe to run a VB Script called adobel.vbs, which is extracted from the initial self-extractor.
[caption id="attachment_4231" align="alignnone" width="543"] The content of adobel.vbs, which calls adob01.bat[/caption]
This VB Script then calls a first batch script, adob01.bat, which sets up several directories and copies files to them, using xcopy.exe and attrib.exe, before launching a second batch script.
[caption id="attachment_4232" align="alignnone" width="1122"] The first batch script run by the VB Script, adob01.bat[/caption]
The second batch script, adob02.bat, performs the main malicious actions:
- Opens an empty decoy jpg, which hides additional command windows.
- Changes firewall settings.
- Saves ipconfig /all results into a file.
- Runs SecurityXploded’s Email and Browser Password Dumps, to steal credentials. Both password dumps are dropped by the self-extractor, masquerading as files related to Adobe PDF. The Email Password Dump is renamed adobepdf2.exe, and the Browser Password Dump is renamed adobepdf.exe.
- Renames output files and uploads them to com using FTP with hard coded usernames and passwords.
- Runs a renamed but identical version of the executable sleep.exe, available from https://www.computerhope.com/dutil.htm.
- Reruns the whole second batch script once a very long sleep is completed.
[caption id="attachment_4233" align="alignnone" width="550"] The second batch script, adob02.bat, with files names and credentials redacted[/caption]
As can be seen above, the attackers make no attempt to hide their intentions, and use no obfuscation or evasion techniques. In addition, all the output file names and credentials used by the attackers are hard-coded in the scripts.
In order to carry out the malicious logic of the attack, Separ uses password dumping tools by SecurityXploded, contained in the initial self-extractor, with which it steals various user credentials before uploading them to the hosting service.
Separ also uses additional legitimate executables for actions: xcopy.exe, attrib.exe, sleep.exe (renamed Areada.exe), and ancp.exe. Details regarding ancp.exe are supplied in the next section.
Stolen data uploaded to a legitimate FTP service
Following infection and password extraction, the malware uses, ancp.exe, an FTP client, to upload files to freehostia.com. Both the executable and the service are legitimate - ancp.exe’s source is NcFTP, a legitimate FTP software provider, while FreeHostia is a well-known and widely-used hosting service.
The upload is performed using hard coded user names and passwords. Using these credentials, we were able to access the FTP, and view data organized into several clients.
[caption id="attachment_4234" align="alignnone" width="972"] The list of clients displayed after logging in to the FTP server[/caption]
[caption id="attachment_4235" align="alignnone" width="520"] Email password dump with redacted credentials and ipconfig data[/caption]
[caption id="attachment_4236" align="alignnone" width="518"] Browser password dump with redacted credentials and ipconfig data[/caption]
However, each client directory contained data belonging to several different victims, collected over the last few weeks. Uploaded data contains ipconfig results in addition to email and browser passwords.
We were able to access the FTP server several times, and the growth in the number of victims was clearly visible, meaning the attack is ongoing and successfully infecting many victims.
Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective. The use of scripts and legitimate binaries, in a “Living off the Land” scenario, means the attacker successfully evades detection, despite the simplicity of the attack. Due to the mechanisms used in the attack, and despite the lack of obfuscation or evasion by the attacker, this and similar attacks have been present in the wild for several years. This shows that many security solutions have difficulties detecting “Living off the Land” attack scenarios. Meanwhile, it should also be noted that the attack can be modified easily to evade detection and complicate analysis.
As written in our white paper on file-less malware, the abuse of admin tools, or of legitimate internal tools of organizations, requires organizations to change their defense mechanisms to protect themselves from attacks. To be better protected, organizations should have tight control over the users allowed to access administrative or native tools, and over the actions that can be performed by these tools.
In order to guard from these types of attacks, organizations should also undertake the following:
- Deploy an advanced endpoint protection solution which can detect and mitigate file-less attacks. Using its advanced Deep Learning and behavioral capabilities, Deep Instinct protects customers from this attack on several levels. Using its Deep Learning engine, Deep Instinct scans and prevents dual use tools in run-time. Many solutions do not scan these files due to their legitimate origin, ignoring the fact these files can be abused easily. Additionally, Deep Instinct’s script control mechanism prevents scripts from executing.
- Restrict the use of scripts and scripting tools in your organization, by applying different policies to different areas of the network. Allow scripts to run from read-only network locations or access only specific machines.
- In any case, do not click on unknown or untrusted links, and do not open email attachments which are unknown or untrusted. Infection through social engineering is the most common method of infection.
We are in the process of notifying all relevant parties which have been affected by the attack.
Original sha256: fc1b755217ee2d12b05b5211602a83dcc0ad0ce2f1271b904e1a125a38927780
Additional files used in attack:
Recent similar samples