silversurfer

Level 46
Content Creator
Trusted
Malware Hunter
Verified
A deceptively simple malware attack has stolen a wide array of credentials from thousands of computers over the past few weeks and continues to steal more, a researcher warned on Tuesday.

The ongoing attack is the latest wave of Separ, a credential stealer that has been known to exist since at least late 2017, a researcher with security firm Deep Instinct said. Over the past few weeks, the researcher said, Separ has returned with a new version that has proven surprisingly adept at evading malware-detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in. Use of spartan malware that's built on legitimate apps and utilities has come to be called "living off the land," and it has been used in a variety of highly effective campaigns over the past few years.

The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.

"Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective," Guy Propper, Deep Instinct's threat intelligence team leader, wrote in a blog post. "The use of scripts and legitimate binaries, in a 'living off the land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack.
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
This malware attack is so simple that even SysHardener on default settings will stop it.:giggle:
Scripts, which are useful in organizations for automation & configuration, are also the weak point attacked by malc0ders.:(
 

yarr

Level 1
These living off the land viruses are scary. I wish I could find more information about what can be done after already being hacked. Also more information on ways to combat them if they hide in pxe, partitions, ram, router etc..
 
Reactions: Nevi

Andy Ful

Level 38
Content Creator
Trusted
Verified
Look at this thread:
If you want to fight hackers after being infected, then you have to learn much about exploits, backdoors, RAT's, malware persistence, etc.
 

yarr

Level 1
Look at this thread:
If you want to fight hackers after being infected, then you have to learn much about exploits, backdoors, RAT's, malware persistence, etc.
Thank you so much for this link. I thought I knew a lot about this stuff until I started fighting this recent infection. I purchased appguard last night and so far it's been quite helpful, I finally have a decent proportion of control
 

Kubla

Level 6
The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in.
Sounds like one would need to lock down their system with zero trust of scripts and executable's to avoid this type of malware.