A seemingly simple malware attack has stolen a lot of identification information from thousands of computers in recent weeks and continues to steal more and more, a researcher warned Tuesday.
The ongoing attack is the latest wave of Separ, a robbery of identification information known since at least end of 2017, said a researcher at the Deep Instinct Security Company. In recent weeks, the researcher said Separ was back with a new version that was surprisingly able to escape malware detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for trivial purposes that they blend perfectly with each other. The use of spartan malware based on legitimate applications and utilities is now called "living off the land", "and
it has been used in a variety
very effective campaigns in recent years.
The last Separate arrives in what appears to be a PDF document. When clicked, the file runs a chain of other applications and file types commonly used by system administrators. An inspection of the servers used in the campaign shows that it has so far collected identification information from about 1,200 organizations or individuals. The number of infections continues to increase, indicating that the Spartan approach has been effective in helping to fly under the radar.
"Although the attack mechanism used by this malware is very simple and the attacker did not try to escape the analysis, the growth in the number of victims claimed by this malicious software shows that simple attacks can be very effective, "said Guy Propper, head of the Threat Intelligence Team at Deep Instinct, wrote in a blog post. "The use of legitimate scripts and binary files, in a scenario" living outside the country, "means that the attacker escapes detection successfully, despite the simplicity of it. ;attack.
In this last wave, Separ is embedded in a self-extracting executable file that uses an icon to disguise itself as a PDF document. Double-click the file to run a file string that starts with a Visual Basic script. The script, in turn, runs a batch script. The batch script configures multiple directories, copying files, and then launches a second batch script. The second script opens a decoy image to hide command windows, decreases firewall protection, and saves the results of an ipconfig / all command to a file.
The batch file then executes four executable tools used for legitimate purposes. These first two executables are SecurityXploded security search organization password dump tools. The third executable executes the legitimate NcFTP client to download the stolen data to previously configured accounts on the Free Hostia hosting service. The fourth executable gathers the legitimate xcopy.exe, attrib.exe and sleep.exe applications that it needs to perform mundane tasks.
"As we can see above, the attackers do not try to hide their intentions and do not use any obscuration or escape techniques," wrote Propper. "In addition, all the output file names and credentials used by the attackers are hard-coded into the scripts."
Turn the tables on the bad guys
Hard-coded credentials allowed Deep Instinct to enable attacker attacks and access two of the accounts used to store stolen data. The researchers then had access to eight other accounts. As of Tuesday afternoon, the accounts contained identification information belonging to approximately 1,000 individuals and 200 organizations. The number of identification information collected has steadily increased in recent weeks and researchers suspect that there could be other accounts by storing more.
Until now, said Propper, Freehostia officials have not responded to Deep Instinct's private messages stating misuse of the hosting service. A message sent by Ars to Freehostia in search of comments for this message also remained unanswered. Mr. Propper stated that Deep Instinct had informed infected individuals and organizations that their identification information had been collected.
The only thing needed for the recent Separ campaign to succeed, at least initially, was for an end user to click on a disguised executable. Propper said that over time, a growing number of anti-malware vendors came to detect this attack. Nevertheless, current attacks are a reminder that, despite the increasing sophistication of many malware attacks, simple and sparse hackers remain painfully inefficient.