What’s New With Separ Malware Family in 2021
Various anti-malware vendors are scrambling to fix their products in order to detect the new variant of Separ malware family. Separ is known as a password stealer virus, with its first version detected two years ago in 2017. The newest variant has a very modular architecture, as it uses genuine 3rd party executables (non-malware) in order to support its function. The Separ’s main module pretends to be a PDF file, but instead of opening in a PDF reader app, when it runs, it hijacks the computer by executing legitimate apps that can enable hiding of the nefarious goal of stealing user credentials.
“The attack begins with a phishing email containing a malicious attachment. In this particular instance, the attachment was a decoy PDF document, which was in fact a self-extracting archive. However, the decoy is very basic as the extension of this “document” is .exe. The self-extractor contains within itself all files used in the attack – a VB Script, two batch scripts, and four executable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe, ancp.exe, and Areada.exe. Many of the files are named to resemble files related to Adobe,” explained Guy Propper, Threat Intelligence Team Leader of Deep Instinct Inc., a cybersecurity consulting firm.
The malware takes advantage of wscript.exe, it is the built-in scripting engine for Visual Basic scripting language, the malformed PDF will use it in order to run another module named adobel.vbs. In a series, it will run two more .bat file and other files that at first glance looked like part of the Adobe PDF reader package. In this series of batch file, it will open the Windows firewall, removing the restrictions set by Microsoft during its development.
“In order to carry out the malicious logic of the attack, Separ uses password dumping tools by SecurityXploded, contained in the initial self-extractor, with which it steals various user credentials before uploading them to the hosting service. Separ also uses additional legitimate executables for actions: xcopy.exe, attrib.exe, sleep.exe (renamed Areada.exe), and ancp.exe. Means the attacker successfully evades detection, despite the simplicity of the attack. Due to the mechanisms used in the attack, and despite the lack of obfuscation or evasion by the attacker, this and similar attacks have been present in the wild for several years,” added Propper.
Based on further investigations, Separ malware does not include any stealth function that can hide itself from a sophisticated user. Anyone with the correct tools will be able to detect the changes it makes to the Windows registry, the use of VB script engine in order to propagate and it after many days of infection it just continues to capture possible user credentials. But it is known that Separ will continue to be a ‘work-in-progress’, its makers will surely continue to tweak and improve it further in order to gain more functionality. Once new function is added to this Separ family of malware, we will report it here immediately in Hackercombat.com
Known Files associated with Separ: