New Marap malware downloader involved in massive campaign targeting financial institutions

• The downloader is modular - it can download additional payloads and modules.
• Marap has been used in campaigns similar to the ones conducted by the TA505 ATP group.

A new malware downloader dubbed Marap has been discovered. Cybercriminals have used Marap in massive campaigns generating millions of malicious messages and targeting financial institutions across the globe.

Marap is modular in nature which allows it to download additional payloads and modules. This in turn can allow Marap’s operators to upgrade the downloader with new advanced capabilities and repackage it for future sophisticated attacks.

According to security researchers at Proofpoint, who discovered Marap, the malware downloader is also capable of downloading a system fingerprinting module that conducts simple reconnaissance.

Marap campaign

Proofpoint researchers found that the campaigns making use of Marap share similarities with previous campaigns conducted by the TA505 APT threat actor. These campaigns contain Word documents that contain macros, among others, and abuses the brand of a major US bank.

Marap has been named after its C2, which Marap spelled backward - “Param”. The malware downloader is written in C and also comes packed with several anti-analysis feature.

Marap’s system fingerprinting module

Marap’s system fingerprinting module is a DLL written in C++ and is capable of collection information such as username, domain name, IP address, country, language, Windows version and more. This information is sent to Marap’s C2.

“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent ‘noisiness’ of the malware they distribute,” Proofpoint researchers wrote in their blog.

“This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise,” Proofpoint researchers added.