Researchers from Proofpoint have found a malware dubbed Marap that is being used to target large enterprises and financial institutions. The design of the malware can be utilised to deliver additional malware in future attacks.
Proofpoint has reported a lot of email campaigns in August which contained messages with the sole intention of spreading Marap malware:
“Proofpoint researchers lately discovered a new downloader malware in a fairly large campaign (millions of messages) essentially targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable for its focused functionality that includes the ability to download other malicious code modules and payloads.” reads the analysis published by Proofpoint.
The attacks are being distributed by a cyber gang named TA505. The hackers tried to spread it by using Microsoft Excel Web Query files and password protected ZIP files. The name Marap comes with the Command and Control (C&C) phone home parameters “param”.
Marap malware uses HTTP for C&C communication but uses a lot of WinHTTP functions to determine whether the malware requires a proxy. Experts have also found a URL from where the module is being downloaded from. It contained an internal DLL file named mod_Init.dll which was written in C.
Take your time to comment on this article.