Marap Malware Targets Financial Institutions

A new, highly flexible downloader malware, which primarily targets financial institutions, has been discovered.

It’s cybersecurity researchers at Proofpoint who have detected this new malware campaign, which they have named Marap and which has the ability to download other modules and payloads.

A detailed post on the malware by the Proofpoint staff says, “Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable for its focused functionality that includes the ability to download other modules and payloads. The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.”

The Proofpoint researchers had noticed the issue on August 10. The Proofpoint post says- “On August 10, 2018, we observed several large email campaigns (millions of messages) leading to the same “Marap” malware payload in our testing.” The emails contained different kinds of attachments, including Microsoft Excel Web Query (“.iqy”) files, Password-protected ZIP archives containing “.iqy” files, PDF documents with embedded “.iqy” files and Microsoft Word documents containing macros.

Many of these email attachments, as per reports, seemed to be coming from the sales department while some seemed to be important documents coming from a major unnamed bank. There were also emails that seemed to be invoiced coming from random domains. Such malicious email attachments would contain the malicious macros that would lead to the execution of the Marap malware. The Proofpoint post says- “As noted, Marap is a new downloader, named after its command and control (C&C) phone home parameter “param” spelled backward. The malware is written in C and contains a few notable anti-analysis features.”

A Threatpost blog post gives details of these anti-analysis features; the post says- “One of these features is API-hashing, a commonly used process in malware to prevent analysts and automated tools from determining the code’s purpose. The process means that most of the Windows API function calls are resolved at runtime using a hashing algorithm, which is this case appears to be custom to Marap, said researchers…Secondly, the malware uses timing checks at the beginning of important functions, which can hinder debugging and sandboxing. “If the calculated sleep time is too short, the malware exits,” the researchers explained…Finally, the malware compares the system’s MAC address to a list of virtual machine vendors – and if a virtual machine is detected and a configuration flag is set, the malware may also exit, researchers, said.”

Marap, which uses HTTP for its C&C communication; the Proofpoint researchers explain- “Marap uses HTTP for its C&C communication but first it tries a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use.”

Once the command is executed, a response message can be sent back to the C&C. This includes the bot ID, command, command ID, flag controlling response type, command status code and response data.

As already explained, Marap is highly flexible and modular, thereby helping criminals download other modules and payloads. Threatpost says-” The most notable observed add-on was a systems-fingerprinting module being sent over from the C&C — which is a DLL module — to gather and send back an array of information to the server…That information includes username, domain name, hostname, IP address, language, country, Windows version, anti-virus software detected and a list of Microsoft .ost files.”

Proofpoint researchers point out that Marap, the new downloader, points to a “growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”