Proofpoint Announces Discovery of Marap Malware Strain

Proofpoint has announced the discovery of a new malware strain called Marap.

Security researchers at Proofpoint stated that Marap malware is currently being used for gathering information about victims. The threat actor’s aim appears to be the creation of a network of infected users which they can target in future attacks.

The malware operates by creating a fingerprint for each infected device and sending the information back to its central command and control (C&C). The information it gathers includes username, domain name, hostname, IP address, country, language, operating system, installed anti-virus software, and details of Microsoft Outlook OST files.

The Necurs botnet, the world’s largest spam netbot, was used to push the malware to victims through spam email attachments. Microsoft Excel Web Query files (IQY) were most commonly used to deliver Marap. Emails also included other file formats, such as PDF files, password-protected ZIP files, or Microsoft Word documents.

The malware can detect when it has been installed on a virtual machine. Hackers included measures to prevent debugging and sandboxing, hampering the efforts of Proofpoint’s researchers to analyse the code.

Marap malware is modular, meaning hackers can update it with additional modules even after it has infected a device to provide enhanced functionality. Marap can be used as a malware dropper to different payloads, although it is currently unclear what those payloads could be.

The spam emails took a variety of different formats, including sales requests, important banking documents, invoices, and simple emails just containing malicious PDF files and ZIP file attachments.

Proofpoint notes that hackers have turned to use flexible malware variants recently. This move may be attributed to the availability of security software with improved abilities to detect more traditional malware variants, such as ransomware. Marap malware affords attackers the flexibility to launch a range of different attacks and identify systems that warrant a more significant compromise.