SEPAR — Hard-to-detect credential-theft malware has infected 1,200 and is still going

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A deceptively simple malware attack has stolen a wide array of credentials from thousands of computers over the past few weeks and continues to steal more, a researcher warned on Tuesday.

The ongoing attack is the latest wave of Separ, a credential stealer that has been known to exist since at least late 2017, a researcher with security firm Deep Instinct said. Over the past few weeks, the researcher said, Separ has returned with a new version that has proven surprisingly adept at evading malware-detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in. Use of spartan malware that's built on legitimate apps and utilities has come to be called "living off the land," and it has been used in a variety of highly effective campaigns over the past few years.

The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.

"Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective," Guy Propper, Deep Instinct's threat intelligence team leader, wrote in a blog post. "The use of scripts and legitimate binaries, in a 'living off the land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This malware attack is so simple that even SysHardener on default settings will stop it.:giggle:
Scripts, which are useful in organizations for automation & configuration, are also the weak point attacked by malc0ders.:(
 

yarr

Level 2
Verified
Jul 5, 2018
52
These living off the land viruses are scary. I wish I could find more information about what can be done after already being hacked. Also more information on ways to combat them if they hide in pxe, partitions, ram, router etc..
 
  • Like
Reactions: Nevi

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Look at this thread:
If you want to fight hackers after being infected, then you have to learn much about exploits, backdoors, RAT's, malware persistence, etc.
 

yarr

Level 2
Verified
Jul 5, 2018
52
Look at this thread:
If you want to fight hackers after being infected, then you have to learn much about exploits, backdoors, RAT's, malware persistence, etc.
Thank you so much for this link. I thought I knew a lot about this stuff until I started fighting this recent infection. I purchased appguard last night and so far it's been quite helpful, I finally have a decent proportion of control
 

Kubla

Level 8
Verified
Jan 22, 2017
355
The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in.

Sounds like one would need to lock down their system with zero trust of scripts and executable's to avoid this type of malware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top