Separ Malware Preying on Businesses Using “Living Off the Land” Tactics

Threat Alert
David Bisson | Thu, 03/07/2019 - 12:39
laptop and credit card

A family of information-stealing malware known as “Separ” is preying on businesses by using what are known as “Living off the Land” techniques.

In the first few weeks of 2019, digital security company Deep Instinct observed a new attack campaign disseminating phishing emails. Each of these emails came with a malicious attachment thinly disguised as a PDF document. (Its extension was .exe and not .pdf.) In reality, the “document” was a self-extracting archive that contained all the files it needed to carry out the remainder of the attack chain.

The self-extracting archive first called up wscript.exe to run a VB Script called adobel.vbs. This script invoked adob01.bat, a batch script responsible for setting up several directories using xcopy.exe and attrib.exe. Once it completed its job, the batch script then launched adob02.bat.

Upon execution, adob02.bat fulfilled the bulk of Separ’s malicious capabilities by hiding additional command windows behind an empty decoy .jpg file, changing the firewall settings and saving ipconfig /all results into a file. It also ran SecurityXploded’s Email and Browser Password Dumps, which came disguised as Adobe files, to save a user’s email- and browser-based credentials in adobepdf2.exe and adobepdf.exe, respectively. At that point, adob02.bat used FTP to upload the files to freehostia.com before running another executable called sleep.exe. The second batch file ultimately concluded its activity once it ran a second time after the infected machine completed a long sleep.

Earlier variants of Separ have been involved in attack campaigns dating back to November 2017, with related infostealers dating back even further to 2013. Nevertheless, this particular attack wave was significant in that it used “Living off the Land” techniques. These tactics involve the abuse of legitimate applications such as common utilities within the targeted organization or widely used administrative tools for malicious ends. For instance, Separ used NcFTP, a legitimate FTP software provider, to upload victims’ stolen credentials to freehostia.com, a widely used hosting service. Prior to that step, the digital threat relied on the benign executables xcopy.exe, attrib.exe and sleep.exe (collectively renamed “Areada.exe”) to set the stage for its malicious activities.

Many bad actors are starting to incorporate “Living off the Land” techniques into their attack campaigns in order to evade detection. That’s because a digital attacker won’t raise any red flags with anti-virus software by abusing a legitimate program, as it’s already trusted on the machine.

Given this evasive technique, Deep Instinct digital intelligence researcher Guy Propper has a mind to liken “Living off the Land” to fileless attacks. As he explains in a blog post:

Although “Living off the Land” is considered a type of file-less attack, this is an inaccurate definition, as the attack does involve executable files. In many cases these files are already found on disk in the victim’s machine (hence the term “Living off the Land”). In other cases, they are written to disk, but as mentioned before they are not malicious per-se and therefore go unnoticed.

Well, attacks such as these go unnoticed by some security solutions. Not by all, however.

Case in point, ZixProtect spotted this attack wave and several other campaigns distributing Separ malware in the first few weeks of 2019. It did so by analyzing the multiple layers of each attack email including their IP addresses, URLs, phrases, patterns, behavior and signatures. It provided these and other findings in real-time, thereby minimizing email-borne threats with a 99.5 percent rate of accuracy while improving email flow and helping benign emails along the way to their destination.

Learn why attack email campaigns that use “Living off the Land” techniques are no match for ZixProtect.