Cybersecurity experts have just discovered a new modular downloader that has the capability to download other modules and payloads. It’s embedded itself in large campaigns and primarily hitting major financial institutions, planting their seeds for possible future attacks.
Named Marap by security researchers from Proofpoint, after its command and control (C&C) phone home parameter “param” spelled backwards. Written in C-language, the malware contains notable anti-analysis features. Its type allows for fraudsters to add new features and capabilities as they become accessible or download additional modules after the initial infection. It was observed downloading a fingerprinting system that has the ability to perform simple reconnaissance functions.
On August 10th, researchers observed huge quantities of email campaigns (hundreds of thousands of email messages) leading to the same Malware (Marap) payload in their testing. The email messages contained all sorts of infected attachments – including Microsoft Excel Web Query (“iqy”) files, password-protected ZIP files containing the query files, and Word documents containing macros.
As per the reports, most of the email attachments come from the Sales Department while some other seemingly important documents are coming from major unnamed banks and random domains. The malware uses HTTP for its command and control comms, but it initially test out a number of legitimate WinHTTP functions to determine if it needs a specific type of proxy to use.
A write-up from Threatpost details some anti-analysis features; it says –
“One of these features is API-hashing, a process used in malware to prevent scanners and analyst-detection tools from determining the code’s purpose. The process means that most of the Windows API function calls are resolved at run-time using a hashing algorithm, which is this case appears to be custom to Marap, said researchers…
Secondly, the malware uses timing checks at the beginning of important functions, which can hinder debugging and sandboxing. “If the calculated sleep time is too short, the malware exits,” the researchers explained…
Finally, the malware compares the system’s MAC address to a list of virtual machine vendors – and if a virtual machine is detected and a configuration flag is set, the malware may also exit, researchers, said.”
The researchers from Proofpoint pointed out that the Marap is just one of the new, and growing groups of flexible and tough malwares that give fraudsters multiple opportunities for different attacks. This can ultimately provide for selection and identification of systems that may lead to more significant threats in the future.