Newly found Marap malware targets financial sector

The newly discovered Marap malware is capable of fingerprinting infected machines

Marap malware appears to be familiar with TA505 - the most popular threat actor.

Researchers from Proofpoint have discovered a new string of malware dubbed Marap^[1] that targets financial sectors. The virus is neither ransomware, banking trojan or RAT, but rather malware downloader that is capable of copying systems' fingerprints and sending them off to Command and Control Server controlled by hackers.

Marap is currently actively distributed via malspam that carries the malicious payload inside fake MS office documents or other files. According to research, cybercriminals try to convince naive users that they are from the sales department and the attachment needs to be opened for further information. However, the email address indicates that the email is fake. Unfortunately, several users still fall for hackers' tricks.

Necrus botnet used to distribute Marap malware

TA505 (Proofpoint's internal name for Necrus botnet) has been under the radar for the most of 2018, and now it seems to come back with spreading Marap malware. Necrus helped to spread most notorious ransomware viruses, including Locky ransomware^[2], Dridex banking Trojan^[3], Jaff ransomware, etc.

According to Proofpoint, TA505 began spreading four years ago and managed to take first actions on the Dridex banking Trojan^[4]:

TA505 began distributing particular malware strains, beginning with Dridex in 2014.

Unfortunately, because the Necrus is so large, researchers predict that the number of infections will increase over time.

Marap functionality and anti-analysis feature

The emergence of Marap malware is just another proof that various computer infections are becoming stronger to deal with and even more difficult to detect. For example, Marap uses the API-hashing to avoid analysis and detection and tries to secure the secret code it runs.

Another technique used by Marap malware is time check. If the virus manages to perform an essential function, it checks the time it had started its activity. Marap calculates to check if the sleep time is as long as required. If it appears to be too short – the malware stops its operations and exits immediately.

Finally, the malware compares the system's MAC address:

The last anti-analysis check compares the system’s MAC address to a list of virtual machine vendors. If a virtual machine is detected and a configuration flag is set, the malware may exit.

Initially, Marap tries to detect whether or not it needs to use a proxy. If not, the virus uses HTTP for its Command & Control communication. Once the virus establishes itself on the PC, it sends the following to the C&C server:

• Command ID
• Command
• Flag controlling response type
• Command arguments

The malware downloads other modules, including systems fingerprinting one, which can then gather information like username, hostname, domain name, IP address, country, language, Windows version, security software information, etc.

Banking trojans, crypto miners and malware downloaders are prevalent – learn to avoid them

While a number of ransomware infections lowered in comparison to the outbreak in 2017, hackers seem to shift to other forms of malware, such as banking trojans, crypto-miners and malware downloaders, such as Marap. While nobody can prevent bad actors from creating malware that is more threatening to users and more useful for hackers, victims can work on safe internet browsing practices and reduce the chance of infection as much as possible.

Note that phishing emails are very likely to include attachments that are malicious. Hackers employ botnets that help to spread malware automatically. Hence, thousands or even millions of users end up with malicious payloads lurking inside their Inboxes. Therefore, people should be aware that every attachment or a hyperlink can lead to malware infections.^[5]