Neither a ransomware, Rat, or banking trojan, Marap is rather a downloader capable of copying a targets fingerprint. The malware is named after its command-and-control parameter “param,” spelled backwards and is specifically targeting financial institutions. This malware comes as a result of defenses becoming stronger against commodity malware forcing attackers to look for new methods that will decrease the footprint. On August 10th, researchers started seeing a large volume of email campaigns and all of them lead to the Marap malware payload. These emails would appear as if they were coming from the sales department’s or major unidentified bank’s and proclaim to contain important documents. Marap malware itself is written in C and rigged with multiple anti-analysis features, most notably API-hashing. The intent of API-hashing is to prevent analysts from recognizing the code and figure out its purpose. Time checks also play a big role in deploying the malware because it uses them to deter debugging and sandboxing. Marap is modular and flexible, which allows attackers to download other modules and payloads. Marap gathers a system’s fingerprints and sends them back to a command- and- control server that is being run by the attackers. The information includes username, domain name, hostname, IP address, language, country, Windows version, anti-virus software detected and a list of Microsoft .ost files. Researchers at Proofpoint said: “This new downloader… points to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.” The email address that has been seen predominately distributing this malware can easily be flagged by a user as fake, due to its looks.
