A seemingly simple malware attack has stolen a wide range of credentials from thousands of computers in recent weeks and continues to steal more, a researcher notified on Tuesday
The ongoing attack is the latest wave of Separ, a credential thief who has been known to exist since at least the end of 201
7, said a researcher with the security firm Deep Instinct. In recent weeks, the researcher said, Separ is back with a new version that has proved surprisingly adept at evading malware detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benevolent purposes in which they blend perfectly. The use of spurious malware based on legitimate apps and utilities has been called "living off the ground" "and
it has been used in a variety
of highly effective campaigns in recent years.
The last Separ comes in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types commonly used by system administrators. An inspection of the servers used in the campaign shows that, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, indicating that the Spartan approach was effective in helping him fly under the radar.
"Although the attack mechanism used by this malware is very simple and no attempt has been made by the attacker To circumvent the analysis, the growth in the number of victims reported by this malware shows that simple attacks can be very effective, "wrote Guy Propper, head of the Deep Instinct threat intelligence team in a blog post. "The use of legitimate scripts and binaries, in a scenario" live off the ground, "means that the attacker manages to circumvent the detection, despite the simplicity of the attack. 
In this last wave, Separ is enclosed in a self-extracting executable file that uses an & # 39; icon to disguise itself as a PDF document. a chain of files is executed that starts with a Visual Basic script, in turn, executes a batch script, the batch script sets several directories, copies the files and then starts a second batch script, the second script opens a fake image to hide command windows, lowers firewall protections, and saves the results of an ipconfig / all command to a file.