Hundreds of industrial companies are currently the targets of cyber-espionage activity from an advanced threat actor. The adversary uses a new version of an older info-stealer to extract sensitive data and files.
The attacker uses spear-phishing emails with malicious attachments often disguised as PDF files. Separ is the malware of choice, which steals login data from browsers and email clients, also hunting for various types of documents and images.
The malicious emails from the attacker are specifically created for the recipient. In one of them, the sender posed as an employee of a Siemens subsidiary making a request for quote (RFQ) for designing a power plant in the Czech Republic.
The message included a diagram and a publicly available technical paper on how to run the plant on fuel gas.
After installation, the malware steals credentials from browsers and email clients and looks for documents that may be important for the attacker based on their file extension.
All collected data is sent using the File Transfer Protocol (FTP) to the free web hosting service freehostia[.]com.