What’s New With Separ Malware Family in 2024

Various anti-malware vendors are scrambling to fix their products in order to detect the new variant of Separ malware family. Separ is known as a password stealer virus, with its first version detected two years ago in 2017. The newest variant has a very modular architecture, as it uses genuine 3rd party executables (non-malware) in order to support its function. The Separ’s main module pretends to be a PDF file, but instead of opening in a PDF reader app, when it runs, it hijacks the computer by executing legitimate apps that can enable hiding of the nefarious goal of stealing user credentials.

“The attack begins with a phishing email containing a malicious attachment. In this particular instance, the attachment was a decoy PDF document, which was in fact a self-extracting archive. However, the decoy is very basic as the extension of this “document” is .exe. The self-extractor contains within itself all files used in the attack – a VB Script, two batch scripts, and four executable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe, ancp.exe, and Areada.exe. Many of the files are named to resemble files related to Adobe,” explained Guy Propper, Threat Intelligence Team Leader of Deep Instinct Inc., a cybersecurity consulting firm.

The malware takes advantage of wscript.exe, it is the built-in scripting engine for Visual Basic scripting language, the malformed PDF will use it in order to run another module named adobel.vbs. In a series, it will run two more .bat file and other files that at first glance looked like part of the Adobe PDF reader package. In this series of batch file, it will open the Windows firewall, removing the restrictions set by Microsoft during its development.

“In order to carry out the malicious logic of the attack, Separ uses password dumping tools by SecurityXploded, contained in the initial self-extractor, with which it steals various user credentials before uploading them to the hosting service. Separ also uses additional legitimate executables for actions: xcopy.exe, attrib.exe, sleep.exe (renamed Areada.exe), and ancp.exe. Means the attacker successfully evades detection, despite the simplicity of the attack. Due to the mechanisms used in the attack, and despite the lack of obfuscation or evasion by the attacker, this and similar attacks have been present in the wild for several years,” added Propper.

Based on further investigations, Separ malware does not include any stealth function that can hide itself from a sophisticated user. Anyone with the correct tools will be able to detect the changes it makes to the Windows registry, the use of VB script engine in order to propagate and it after many days of infection it just continues to capture possible user credentials. But it is known that Separ will continue to be a ‘work-in-progress’, its makers will surely continue to tweak and improve it further in order to gain more functionality. Once new function is added to this Separ family of malware, we will report it here immediately in Hackercombat.com

Known Files associated with Separ:

adobel.vbs: 57ba3dc168281294422f27dc30afe5c09acbeda502a492cf405ccf474244da9c
adob01.bat: d3eca6fa868f31550ea7255bfebc76cb24bded8b4fac4422ee51a8f00e57d9d1
adob02.bat: 8c6dc16cb7f420399628346d4bd3b1ea10b8e32300b2cdf849f9f160e2afc5b4
adobepdf.exe: 33b237733b583272993c01eff9fcac6b223323bb11f3e4611ce0a69f98a98dd2
adobepdf2.exe: 2f21b1ff10c823e9d2a425b48377cef195ccd93ea90ab6cc201e913c38c20e4e
ancp.exe: 4db932edcda31e6e14e271fc8759d34bcd83eaeae77c0da910bc9661f9f20d71
Areada.exe: ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5