Photo: Epoxydude via Getty

A well-known cyber crime group launched new malware that may signal that they — and possibly other groups as well — are moving towards stealth, reconnaissance and agility, according to Proofpoint, the firm that discovered the new "Marap" malware.

What's a Marap? Marap was created by the same group responsible for the widespread banking credential harvester Dridex and the ransomware Locky. It's designed to download other programs — the first stage of an attack.

Marap is stealthy, even among downloaders. Kevin Epstein, vice president of Proofpoint's threat operation center, explains: Marap is loaded up with tools to evade security tools and analysis and appears to be designed to lay mostly dormant while the hackers decide what they want to do.

What they're saying: "We don't see many things this stealthed and quiet," said Epstein, even among other downloaders.

The strategy: Epstein contrasts Marap with other downloaders that might come bundled with other functions or immediately start a download of a more feature rich malicious program. Instead, Marap sends a very small package of information about the computer it infected back to its developers and awaits further instructions.

If Marap is the first stage in an attack, Proofpoint has yet to see stage two. They have not seen Marap execute instructions to start downloading anything.

  • Epstein said the firm believes that the delay is to use the information about its victims to determine the most lucrative next step, whether that's setting up long-term shop in a server with valuable data or installing a cryptocurrency mining program in a more mundane system.

Why it matters: The firm thinks this might signal a change in how attackers approach their craft, from a period of quick hit criminal moves to more deliberate action.

"You don't switch from stick-ups to heists if the stick-ups still get all the money you want," explained Epstein.

The criminal group behind Marap, sometimes refered to as TA505, is known for distributing its malware over the Necurs botnet, which has changed its main focus in recent days.

Go deeper

3 hours ago - World

Ethiopia's Nobel Peace laureate cracks down on ethnic violence

The image of a Nobel Peace laureate in military fatigues encapsulates the moment in which Ethiopia finds itself — on the verge of a transition to democracy, a descent into violence or, perhaps, a precarious combination of the two.

Driving the news: At least 166 people were killed after an iconic musician, Haacaaluu Hundeessaa, was murdered last Monday in Addis Ababa, the capital. Prime Minister Abiy Ahmed responded to the violence by sending in troops and shutting off the internet. High-profile opposition leaders were arrested, along with some 2,300 others.

Updated 4 hours ago - Health

Atlanta Mayor Keisha Lance Bottoms tests positive for coronavirus

Atlanta Mayor Keisha Lance Bottoms said on Monday that she has tested positive for the coronavirus after displaying no symptoms.

Why it matters: Bottoms, one of several Black women on the shortlist to be Joe Biden's running mate, has risen to national prominence in recent months as part of mass protests over racism and police brutality — driven in part by the killing of Rayshard Brooks by Atlanta police.

Updated 4 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Global: Total confirmed cases as of 7:30 p.m. ET: 11,565,541 — Total deaths: 536,658 — Total recoveries — 6,258,697Map.
  2. U.S.: Total confirmed cases as of 7:30 p.m. ET: 2,922,000 — Total deaths: 130,208 — Total recoveries: 924,148 — Total tested: 36,032,329Map.
  3. Public health: Case growth outpacing testing in hotspots.
  4. States: West Virginia becomes latest state to mandate facial coverings in public.
  5. Politics: Atlanta Mayor Keisha Lance Bottoms tests positiveCuomo accuses Trump of "enabling" the coronavirus surge — Sen. Chuck Grassley opts out of attending GOP convention over coronavirus concerns.