Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Marap modular downloader opens the doors to further attacks

Researchers discovered a new modular downloader, tracked as Marap malware, that is being used in large campaigns targeting financial institutions. Researchers from Proofpoint have spotted a new modular downloader in large campaigns targeting financial institutions, experts believe the malicious code could be used to deliver additional malware in future attacks. Earlier August, Proofpoint reported several […]

Marap campaign

Researchers discovered a new modular downloader, tracked as Marap malware, that is being used in large campaigns targeting financial institutions.

Researchers from Proofpoint have spotted a new modular downloader in large campaigns targeting financial institutions, experts believe the malicious code could be used to deliver additional malware in future attacks.

Earlier August, Proofpoint reported several large email campaigns delivering millions of messages with the intent of spreading the modular Marap malware. The modular structure of the Marap malware allows the attackers to add new attack features and to deliver additional payload in infected systems.

“Proofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of messages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable for its focused functionality that includes the ability to download other modules and payloads.” reads the analysis published by Proofpoint.

“The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance.”

The campaigns present many similarities with attacks attributed to the cybercrime gang tracked as TA505. The spam messages used differed attachments to spread the malware, including Microsoft Excel Web Query files, password-protected ZIP files containing the Query files, PDFs with embedded Query files, and Word documents containing macros.

The name Marap comes after its command and control (C&C) phone home parameter “param” spelled backwards, it is written in C and implements a few notable anti-analysis features.

Anti-Analysis features include:

  • Most of the Windows API function calls are resolved at runtime using a hashing algorithm, in Marap this algorithm appears to be custom.
  • Use of timing checks at the beginning of important functions that can elude debugging and sandboxing of the malware. If the calculated sleep time is too short, the malware exits.
  • String obfuscation.
  • Anti-analysis check that compares the system’s MAC address to a list of virtual machine vendors. If a virtual machine is detected and a configuration flag is set, the malware may exit.

Marap modular

Marap uses HTTP for C&C communication, but experts noticed it tries a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use

“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware they distribute” concludes Proofpoint.

“This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”

Experts observed only a system fingerprinting module downloaded by the malware from “hxxp://89.223.92[.]202/mo.enc” and contained an internal name of “mod_Init.dll”.

The module is a DLL written in C that gathers the following system information to the C&C server:

  • Username
  • Domain name
  • Hostname
  • IP address
  • Language
  • Country
  • Windows version
  • List of Microsoft Outlook .ost files
  • Anti-virus software detected

Further details, including indicators of compromise, are reported in the analysis shared by the company.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Marap malware, spam)

[adrotate banner=”5″]

[adrotate banner=”13″]