Share This:

What is the threat?

Researchers from Deep Instinct have detected an ongoing phishing campaign being aimed at many organizations located across North America, Southeast Asia, and the Middle East. The campaign has been effectively distributing the credential-stealing malware known as “Separ” which evades common detection systems by utilizing legitimate executable files (sleep.exe, xcopy.exe, etc.) and tools from SecurityXploded, an information security organization that offers free software which assist with recording passwords and securing computer systems.

Why is this noteworthy?

Although phishing attempts are undoubtedly being made against businesses and individuals by malicious parties daily, what makes this specific campaign notable is just how simple it is to execute covertly. The attack mechanic is actually referred to as “living off the land” and it has seen some popularity over time with cyber-attackers because it makes use of legitimate files/tools which are otherwise common within organizations’ networks.

What is the exposure or risk?

The phishing attempt made by malicious parties has been found to typically target business types that might expect pricing quotes, equipment specifications, etc. in PDFs. After they’ve interacted with these PDFs, malicious scripts are executed that will lead to credentials being stolen and then uploaded to Freehostia[.]com, a generally safe hosting service where cyber-attackers may do whatever with them. With user’s email and browser credentials, private business information and personally identifiable information (PII) are free for malicious parties to use and manipulate.

What are the recommendations?

  1. Deploy an advanced endpoint protection solution which can detect and mitigate cyber-attacks that may utilize existing software.
  2. Restrict the use of scripts and scripting tools in their companies and avoid clicking on unknown/untrusted links.
  3. Considering that this attack takes place starting with a successful phishing attempt, it is to be recommended that individuals be weary of suspicious content that may be presented via emails.
  4. Indicator of Compromise (IOC) include following Sha256 Hash: fc1b755217ee2d12b05b5211602a83dcc0ad0ce2f1271b904e1a125a38927780 and block the following domain/IP address:
    • ftp.freehostia.com
    • 198.23.57.8:211
    • Additional IOC’s can be found in the referenced link below
References:

For more in-depth information about the recommendations, please visit the following link:

  1. https://threatpost.com/separ-malware-credentials-phishing/142009/
  2. https://www.deepinstinct.com/2019/02/19/a-new-wave-of-the-separ-info-stealer-is-infecting-organizations-through-living-off-the-land-attack-methods/
  3. https://www.scmagazine.com/home/security-news/new-separ-credential-stealing-campaign-abuses-legit-tools-and-executables/

If you have any questions, please contact our Secure Intelligence Center.


Share This:

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published.