Separ Information Stealing Trojan

First observed in late 2017, Separ is an information stealing trojan that uses several legitimate applications to obtain user and system data.

Threat ID:: CC-2942
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 21 February 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in late 2017, Separ is an information stealing trojan that uses several legitimate applications to obtain user and system data.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Separ is distributed via spam campaigns as a self-extracting EXE file disguised as a PDF document. When opened, a VBScript script is initiated to execute a batch script. This first batch script will create multiple new directories and copy several files to them before executing a second batch script.

This second batch script will then open an empty JPG file to hide command windows before altering Windows Firewall settings. It will then use the legitimate Email and Browser Password Dump tools created by SecurityXploded to extract mail and browser account credentials. Network information is also collected using the ipconfig utility. This information is then uploaded over FTP to a well-known file hosting platform using a version of the commercial NcFTP client.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:44 pm