Pierluigi Paganini August 18, 2018

Researchers discovered a new modular downloader, tracked as Marap malware, that is being used in large campaigns targeting financial institutions.

Researchers from Proofpoint have spotted a new modular downloader in large campaigns targeting financial institutions, experts believe the malicious code could be used to deliver additional malware in future attacks.

Earlier August, Proofpoint reported several large email campaigns delivering millions of messages with the intent of spreading the modular Marap malware. The modular structure of the Marap malware allows the attackers to add new attack features and to deliver additional payload in infected systems.

“Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable for its focused functionality that includes the ability to download other modules and payloads.” reads the analysis published by Proofpoint.

“The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.”

The campaigns present many similarities with attacks attributed to the cybercrime gang tracked as TA505. The spam messages used differed attachments to spread the malware, including Microsoft Excel Web Query files, password-protected ZIP files containing the Query files, PDFs with embedded Query files, and Word documents containing macros.

The name Marap comes after its command and control (C&C) phone home parameter “param” spelled backwards, it is written in C and implements a few notable anti-analysis features.

Anti-Analysis features include:

• Most of the Windows API function calls are resolved at runtime using a hashing algorithm, in Marap this algorithm appears to be custom.
• Use of timing checks at the beginning of important functions that can elude debugging and sandboxing of the malware. If the calculated sleep time is too short, the malware exits.
• String obfuscation.
• Anti-analysis check that compares the system’s MAC address to a list of virtual machine vendors. If a virtual machine is detected and a configuration flag is set, the malware may exit.

Marap uses HTTP for C&C communication, but experts noticed it tries a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use

“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware they distribute” concludes Proofpoint.

“This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”

Experts observed only a system fingerprinting module downloaded by the malware from “hxxp://89.223.92[.]202/mo.enc” and contained an internal name of “mod_Init.dll”.

The module is a DLL written in C that gathers the following system information to the C&C server:

• Username
• Domain name
• Hostname
• IP address
• Language
• Country
• Windows version
• List of Microsoft Outlook .ost files
• Anti-virus software detected

Further details, including indicators of compromise, are reported in the analysis shared by the company.

Pierluigi Paganini

(Security Affairs – Marap malware, spam)

[adrotate banner=”5″]

[adrotate banner=”13″]