Malware

Marap modular downloader opens the doors to further attacks

Researchers discovered a new modular downloader, tracked as Marap malware, that is being used in large campaigns targeting financial institutions.

Researchers from Proofpoint have spotted a new modular downloader in large campaigns targeting financial institutions, experts believe the malicious code could be used to deliver additional malware in future attacks.

Earlier August, Proofpoint reported several large email campaigns delivering millions of messages with the intent of spreading the modular Marap malware. The modular structure of the Marap malware allows the attackers to add new attack features and to deliver additional payload in infected systems.

“Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable for its focused functionality that includes the ability to download other modules and payloads.” reads the analysis published by Proofpoint.

“The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.”

The campaigns present many similarities with attacks attributed to the cybercrime gang tracked as TA505. The spam messages used differed attachments to spread the malware, including Microsoft Excel Web Query files, password-protected ZIP files containing the Query files, PDFs with embedded Query files, and Word documents containing macros.

The name Marap comes after its command and control (C&C) phone home parameter “param” spelled backwards, it is written in C and implements a few notable anti-analysis features.

Anti-Analysis features include:

  • Most of the Windows API function calls are resolved at runtime using a hashing algorithm, in Marap this algorithm appears to be custom.
  • Use of timing checks at the beginning of important functions that can elude debugging and sandboxing of the malware. If the calculated sleep time is too short, the malware exits.
  • String obfuscation.
  • Anti-analysis check that compares the system’s MAC address to a list of virtual machine vendors. If a virtual machine is detected and a configuration flag is set, the malware may exit.

Marap uses HTTP for C&C communication, but experts noticed it tries a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use

“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware they distribute” concludes Proofpoint.

“This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”

Experts observed only a system fingerprinting module downloaded by the malware from “hxxp://89.223.92[.]202/mo.enc” and contained an internal name of “mod_Init.dll”.

The module is a DLL written in C that gathers the following system information to the C&C server:

  • Username
  • Domain name
  • Hostname
  • IP address
  • Language
  • Country
  • Windows version
  • List of Microsoft Outlook .ost files
  • Anti-virus software detected

Further details, including indicators of compromise, are reported in the analysis shared by the company.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Marap malware, spam)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.