Researchers at Proofpoint have identified a new malware downloader they have called Marap. It is being used in a new email malspam campaign aimed at financial institutions. This is the second malware campaign targeting finance institutions in the last week.
Marap is using a number of approaches to improve its success rate. It is a modular malware which allows hackers to add in new capabilities. This approach means that they can respond quickly to attempts to detect Marap.
A separate research report from Proofpoint researchers contains more technical details of the Marap. They said: “As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent ‘noisiness’ of the malware they distribute.”
What is known about Marap?
Proofpoint has provided a list of things that they have seen in these Marap attacks.
- August 10: Multiple email spam campaigns via Necurs (TA505) all pointing at the same Marap payload.
- Multiple attachments: The emails contained attachments with three spreading Microsoft Web Query files (.iqy). This included password protected Zip files and malicious PDFs. Other attacks used Microsoft Word documents with macros.
- Various email subject lines: The subject lines in the emails claimed to come from sales, banks, Joan Doe, John and Joan. All bar the bank use random email domains. The bank emails come from a specific US bank although Proofpoint is not disclosing which one.
- API hashing: This obscures the code making it harder for security tools and analysts to identify it.
- MAC checking: Marap is using the MAC address and a configuration flag. It compares the MAC address to a list used by virtual machine vendor. If identified, the malware may exit
- Fingerprinting: It is also using a fingerprint module to identify each machine it infects. It gathers username, domain name, hostname, IP address, language, country, Windows version, anti-virus software detected and a list of Microsoft .ost files. Marap is using fingerprinting to prevent multiple infection attempts and reduce noise.
Once installed, Marap connects to its command and control (C&C) server. The communication between the two is encrypted, the researchers were able to read the messages and identify some of the commands and responses. It shows that Marap is looking for new modules and additional malware to install on the target machine.
What does this mean
Malware continues to get smarter to stay ahead of researchers. The use of modules and fingerprinting is not new. Both, however, present a significant challenge to security software, including AI, and analysts. Marap is also small which also adds to the challenge of detecting it.
Downloaders makes it easy for attackers to keep modifying their attacks. They can use them to create a permanent presence on a machine. This means that the attacker not only has access to the machine but can then sell that access to other hackers.
Proofpoint is saying that this is just part of new trend of more versatile malware. It is promising details on another piece of malware soon.