Researchers have linked a newly discovered downloader malware to the Necurs botnet, after it was observed in a large Aug. 10 email-based phishing campaign, targeting mostly financial organizations.
The malware, named Marap, is capable of downloading additional modules and payloads in order to give attackers a wide range of capabilities. So far, the researchers, from Proofpoint, have observed Marap delivering a system fingerprinting module, used for victim reconnaissance. A DLL file written in C programming language, the fingerprinter compiles information such as username, domain name, host name, IP address, language, country, Windows version, Microsoft Outlook .ost files and detected antivirus software, and sends that information to the command-and-control server.
According to a Proofpoint blog post yesterday, the spam operation largely resembled other spam campaigns previously attributed to an actor it calls TA505 — otherwise known as the Necurs botnet.
The emails leveraged a number of different malicious attachment types, including Excel Web Query (.iqy) files, password-protected ZIP archives containing iqy files, PDF documents with embedded iqy files, and Microsoft Word documents with macros, the blog post reported.
Researchers from Boston-based cyber firm Barkly had reported back in June that crafty spammers, including the actors behind Necurs, are increasingly relying on .iqy files, normally used to download data from the internet directly into Excel, to launch a chain of malicious downloads.
Proofpoint cited five separate examples of spam emails its researchers observed during the Marap campaign. Most relied on relatively simple lure subjects and body texts, often incorporating random letters and numbers.
One email with the subject line “REQUEST” followed by randomized letters included an attached .iqy document impersonating an RFP. Another featuring an .iqy file described as “IMPORTANT DOCUMENTS” in the subject line dares to impersonate an actual U.S. bank, pretending to be an ad for its products and services.
Other emails rely on fake names coupled with random email domains, in the hopes of enticing victims to open up the malicious file, disguised as harmless PDF documents, picture files, or invoices.
Written in C, Marap is named after its C&C beacon request “param,” only spelled backwards. According to Proofpoint, the malware communicates with its C2 infrastructure via HTTP, “but first it tries a a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use.”
The malware reportedly also uses a number of anti-analysis, anti-debugging and anti-sandboxing techniques, including API hashing, timing checks at the beginning of important functions, obfuscated strings, and comparing infected systems’ MAC addresses to a list of virtual machine vendors.
“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware they distribute,” the Proofpoint blog post states. “This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”