Aug 16, 2018

Cyber crime group gets stealthy with new "Marap" malware

Photo: Epoxydude via Getty

A well-known cyber crime group launched new malware that may signal that they — and possibly other groups as well — are moving towards stealth, reconnaissance and agility, according to Proofpoint, the firm that discovered the new "Marap" malware.

What's a Marap? Marap was created by the same group responsible for the widespread banking credential harvester Dridex and the ransomware Locky. It's designed to download other programs — the first stage of an attack.

Marap is stealthy, even among downloaders. Kevin Epstein, vice president of Proofpoint's threat operation center, explains: Marap is loaded up with tools to evade security tools and analysis and appears to be designed to lay mostly dormant while the hackers decide what they want to do.

What they're saying: "We don't see many things this stealthed and quiet," said Epstein, even among other downloaders.

The strategy: Epstein contrasts Marap with other downloaders that might come bundled with other functions or immediately start a download of a more feature rich malicious program. Instead, Marap sends a very small package of information about the computer it infected back to its developers and awaits further instructions.

If Marap is the first stage in an attack, Proofpoint has yet to see stage two. They have not seen Marap execute instructions to start downloading anything.

  • Epstein said the firm believes that the delay is to use the information about its victims to determine the most lucrative next step, whether that's setting up long-term shop in a server with valuable data or installing a cryptocurrency mining program in a more mundane system.

Why it matters: The firm thinks this might signal a change in how attackers approach their craft, from a period of quick hit criminal moves to more deliberate action.

"You don't switch from stick-ups to heists if the stick-ups still get all the money you want," explained Epstein.

The criminal group behind Marap, sometimes refered to as TA505, is known for distributing its malware over the Necurs botnet, which has changed its main focus in recent days.

Go deeper

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 1 p.m. ET: 1,237,420 — Total deaths: 67,260 — Total recoveries: 252,944Map.
  2. U.S.: Total confirmed cases as of 1 p.m. ET: 312,762 — Total deaths: 9.132 — Total recoveries: 15,044Map.
  3. Public health latest: CDC launches national trackers and recommends face coverings in public. Federal government will cover costs of COVID-19 treatment for uninsured. Surgeon general says this week will be "our Pearl Harbor, our 9/11 moment."
  4. 2020 latest: "We have no contingency plan," Trump said on the 2020 Republican National Convention. Biden says DNC may have to hold virtual convention.
  5. States updates: New York Gov. Andrew Cuomo said the state "literally going day-to-day" with supplies.
  6. Work update: Employees still going to work face temperature checks, distanced work stations, protective devices and mass absences.
  7. What should I do? Pets, moving and personal health. Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Cuomo says New York is "literally going day-to-day with our supplies"

New York Gov. Andrew Cuomo said in a press conference on Sunday that New York is struggling to maintain medical supplies while combatting the novel coronavirus — operating "literally" on a "day-to-day" basis.

Why it matters: New York City has become an epicenter of the coronavirus outbreak, facing mass quarantines and stay-at-home orders. Cuomo said Saturday that New York reported 630 new deaths in 24 hours — an "all-time increase" that beat the previous day's record of 562 deaths.

Illinois governor: "The president does not understand the word 'federal'"

Illinois Gov. J.B. Pritzker said on CNN's "State of the Union" Sunday that President Trump's comments about the federal government's stockpile of medical equipment suggest he "does not understand the word 'federal.'"

Why it matters: White House adviser Jared Kushner argued at a press briefing last week that the "notion of the federal stockpile was it’s supposed to be our stockpile; it’s not supposed to be state stockpiles that they then use."