Stories

Cyber crime group gets stealthy with new "Marap" malware

Photo: Epoxydude via Getty

A well-known cyber crime group launched new malware that may signal that they — and possibly other groups as well — are moving towards stealth, reconnaissance and agility, according to Proofpoint, the firm that discovered the new "Marap" malware.

What's a Marap? Marap was created by the same group responsible for the widespread banking credential harvester Dridex and the ransomware Locky. It's designed to download other programs — the first stage of an attack.

Marap is stealthy, even among downloaders. Kevin Epstein, vice president of Proofpoint's threat operation center, explains: Marap is loaded up with tools to evade security tools and analysis and appears to be designed to lay mostly dormant while the hackers decide what they want to do.

What they're saying: "We don't see many things this stealthed and quiet," said Epstein, even among other downloaders.

The strategy: Epstein contrasts Marap with other downloaders that might come bundled with other functions or immediately start a download of a more feature rich malicious program. Instead, Marap sends a very small package of information about the computer it infected back to its developers and awaits further instructions.

If Marap is the first stage in an attack, Proofpoint has yet to see stage two. They have not seen Marap execute instructions to start downloading anything.

  • Epstein said the firm believes that the delay is to use the information about its victims to determine the most lucrative next step, whether that's setting up long-term shop in a server with valuable data or installing a cryptocurrency mining program in a more mundane system.

Why it matters: The firm thinks this might signal a change in how attackers approach their craft, from a period of quick hit criminal moves to more deliberate action.

"You don't switch from stick-ups to heists if the stick-ups still get all the money you want," explained Epstein.

The criminal group behind Marap, sometimes refered to as TA505, is known for distributing its malware over the Necurs botnet, which has changed its main focus in recent days.