Researchers at threat-protection firm Proofpoint have recently discovered two similar modular malware downloaders that fingerprint systems. Marap is targeting primarily financial organizations, while AdvisorsBot has so far targeted primarily hotels, restaurants and telecommunications. Both downloaders are being use as a first-stage payload, delivering a fingerprinting module that Proofpoint suspects is used to identify targets of interest that will likely receive additional modules or payloads.
Marap, which Proofpoint notes is named for its command-and-control phone-home parameter, “param,” spelled backwards, was just identified Aug. 16. Researchers discovered AdvisorsBot in May of this year.
Proofpoint first picked up the scent of modular malware AdvisorsBot in May 2018 when it appeared as part of several email campaigns including a “double charge” lure apparently targeting hotels, a “food poisoning” lure aimed at restaurants and a “resume” lure targeting telecommunications organizations.
Marap first became evident to Proofpoint Aug. 10, when researchers noticed several large email campaigns comprising millions of messages leading to the same Marap modular malware payload. They shared many features with previous campaigns attributed to TA505, but Proofpoint researchers noted. “The modular nature of Marap [and AdvisorsBot] lets actors add new capabilities as they become available or download additional modules post infection,” the Proofpoint Staff blog post stated. To date, Proofpoint has not seen any payload other than system fingerprinting in Marap. The attachment types in the Marap campaigns include Microsoft Excel Web Query (.IQY), password-protected zip archives containing .IQY files, PDF documents with embedded .IQY files and Microsoft Word documents containing macros.
“The prevalence of existing malware families is shifting. Instead of the massive ransomware campaigns of 2016 and 2017, for example, we continue to see dramatic upticks in distribution of downloaders like Marap and AdvisorsBot, large banking Trojan campaigns, and even large increases in RAT [remote access Trojan] distribution,” said Sherrod DeGrippo, director of Threat Research and Detection at Proofpoint. “The trend towards (sic) ‘quieter’ malware that can pave the way for future or ongoing malicious activity has deepened throughout 2018.”
Modular Malware Gets Methodical
Up until this year, typical downloaders have often been accompanied by additional functions that take immediate action, such as a simultaneous download of malicious programs. Proofpoint is saying that Marap may lie in wait, so it’s less likely to be discovered. Instead of the scattergun approach that malware has taken for years, it’s the sniper approach. Infosec teams need to keep an eye on this change in behavior. (See also “Malware Complacency: Time to Wake up.”)
DeGrippo sums it up this way: “Marap stealthily consists of a single initial payload of a basic system fingerprinting module. Leveraging this, attackers gain the ability to collect information on the victim and determine the most lucrative next step for further compromise, infection, or exploitation. It is also able to rule out sandboxes, virtual machines, and other research environments, which helps the malware stay under the radar.”
Take-aways: the days of not very smart malware may be coming to an end. More reasons why encryption is no longer optional for many types of data. Get ahead of this.