Posted on August 18, 2018 at 8:24 AM
‘Marap’ Malware from the Necurs Botnet Recently Discovered
On August 10, a new malware called “Marap”, has been discovered by computer security analysts at Proofpoint, Inc. Connected to the ‘Necurs botnet’ (or TA505 actor as called by Proofpoint), Marap is circulating through a large-scale phishing campaign through millions of emails.
The primary targets of this malware are several federal and corporate financial institutions and organizations within the American economy.
Previous instances of malware and trojans from Necurs after the financial banking trojan “Dridex” in 2015, the October 2017 “trick” trojan and later in November with further embedded files (.vbs and .lnk).
How is it distributed?
This malware is downloaded via email attachments and steals infected users’ data through a network channel back to a “command and control” server. This control center receives input commands from the authors to steal various files and similar data from infected machines.
The targeted user would receive an email from randomized domains and names with a random string of letters and the word “Request” in the subject line. Enclosed is a .iqy file named as “Important Documents”.
The body of the email itself is largely simple and often contains more randomized strings of letters. This malware is targeting users under the false pretense of being an email advertisement of its own services and goods from a United States federal bank or similar organization.
How does it work?
Marap, when the system is infected, will fingerprint the system and captures sensitive geolocational data of the system and user.
The infected email itself carries a .iqy file or Excel Web Query file. This type of file has been the primary method of infection by the Necurs botnet since early 2015 with the Dridex trojan and is still extensively being used today by email phishers.
The virus is supposedly using several techniques to avoid analysis and debugging to further reverse engineer and understand how Marap works. What has been found, however, is that it was programmed in C and communicated through Hypertext Transfer Protocol (HTTP).
Instructions provided by the Necurs botnet authors will allow this malware to transfer data from infected users’ systems to the C&C hub. This effectively enables the authors to launch powerful cyber attacks against vulnerable systems via coordinated efforts of the infected machines, called a “botnet”.
Proofpoint analysts and staff have concluded that this development,
point[s] to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.