Take, for example, the malware called Separ, which is a credential-siphoning bit of code, first detected in late 2017.
Separ has benefitted from ongoing development by the hackers controlling it, but what sets it apart from other malware strains is that it’s almost deceptively simple, and that simplicity is a big part of its success.
The program is surprisingly good at evading detection, thanks to clever use of a combination of short scripts and legitimate executable files that are commonly used for completely benign purposes. This allows them to blend in and be utterly overlooked by most detection routines.
The most recent iteration of the software is embedded in a PDF. When an unsuspecting user clicks to open the file, Separ runs a chain of other apps and file types commonly used by System Admins. The initial double click runs a simple Visual Basic Script (VBS), which in turn, executes a batch script.
The batch script sets up several directories and copies files to them. Then it launches a second batch script, which opens a decoy image to high command windows, lowers firewall protections, and saves the changes to an ‘ipconfig’ file.
Then, it gets down to its real work, again, relying on completely legitimate executables to collect passwords and move them to the hackers’ command and control server.
According to Guy Propper, (the team lead of Deep Instinct’s Threat Intelligence group):
“Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective. The use of scripts and legitimate binaries, in a ‘living off the land’ scenario, means the attacker successfully evades detection, despite the simplicity of the attack.”
Be sure your IT staff aware. It’s not always the most complex forms of malware that can get you. Contact Connectech if you have questions or need assistance.