Report: Modular ‘Marap’ malware campaign sets the table for bigger hacks

Proofpoint says the 'Marap' malware is linked to a known financially motivated threat actor group.

A newly discovered malware campaign that currently conducts simple reconnaissance has the versatility to download additional capabilities onto a victim’s system, according to a report published Thursday by Proofpoint.

Researchers say the malware, which is named “Marap” after a detail in its command and control (C&C) server, bears similarity to other campaigns associated with a threat actor known as TA505.

Proofpoint says it has observed “millions of messages” in a malicious email campaign earlier this month. Emails tend to have various types of attachments, such as PDF files and Microsoft Word documents, laced with the Marap malware. Some of the phishing documents co-opt the name of a major U.S. bank in their fake communications, Proofpoint says.

So far, the researchers say that the only functionality they’ve observed in Marap is to fingerprint systems it infects. The malware gathers basic information — usernames, domain names, IP addresses, country, anti-virus software detected and other data — and sends it to the C&C server.


But Marap’s capability isn’t limited to that, Proofpoint says. The malware is a downloader that has the ability to deploy other modules and payloads.

“The modular nature allows actors to add new capabilities as they become available or download additional modules post infection,” the researchers write.

Proofpoint says Marap shares many features with TA505. The financially motivated threat actor is known for its involvement in several major campaigns, including Locky ransomware and the Dridex banking Trojan.

According to the report, Marap employs several techniques to evade detection and avoid being analyzed by researchers. The malware uses API hashing, which makes it harder for analysts to discern to purpose of the malicious code. The malware also crosschecks a host system’s MAC address to a list of virtual machine vendors. If it determines that it’s running in a VM, it tries to exit, the Proofpoint says.

The researchers assess that Marap is part of a trend of malware becoming more modular and evasive as cyberdefense systems strengthen their detection and prevention abilities.


“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent ‘noisiness’ of the malware they distribute,” the researchers write.

Ransomware distribution has declined recently, the researchers say, while other types of malware that establish presence on a system, are being observed more often.

Proofpoint says that the malware in its current form points “a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”

Latest Podcasts