Security researchers from Proofpoint have discovered a new malware strain that they named Marap and which is currently distributed via massive waves of spam emails carrying malicious attachments (malspam).

The malware is neither a banking trojan, a remote access trojan (RAT), or ransomware, but a malware download (also referred to as malware loader or malware dropper).

Marap is a slim malware strain that infects victims, fingerprints their systems, and sends this information back to a central command & control (C&C) server.

Based on the victim’s profile, Marap will later download specific modules based on the instructions it receives from the C&C server and the malware’s authors.

Marap distributed via Necurs-like spam campaigns

Currently, the malware is in a build-up stage, where with the help of malspam campaigns, the malware is building a base of infected users.

Proofpoint says these malspam campaigns “shared many features with previous campaigns attributed to the TA505 actor.”

The TA505 actor is Proofpoint’s internal name for Necurs, the world’s largest spam botnet, which in recent years has been behind campaigns distributing some of the most widespread malware threats, such as the Dridex banking trojan, and the Locky and Jaff ransomware families.

This massive botnet has been relatively quiet since the start of the year, being involved in many low-volume malspam campaigns, and only recently began returning to larger distribution pushes.

According to a previous report on Necurs activities, the botnet focused on distributing the Dridex banking trojan in 2015, the Locky ransomware in 2016, Jaff and Locky in 2017. In recent months, these have been Necurs’ primary patterns:

Locky ransomware – September/October 2017
Geo-targeted Locky and The Trick banking trojan – October 2017
Embedded .lnk and .vbs malicious attachments – November 2017
GlobeImposter ransomware – December 2017
Shifting to low-volume campaigns – January/February 2018
The slow return of Necurs-powered large campaigns – March 2018 to present

Marap downloader still in its infancy

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it’s seen various versions. Researchers have seen campaigns leveraging .IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros.

As for Marap itself, researchers also said the malware contains basic features to detect virtual machines used for malware analysis, but they don’t appear as complicated as other techniques used by more established trojans.

Marap’s emergence is no surprise. In the past year, as ransomware distribution has died down, malicious threat actors have returned to distributing banking trojans or have shifted to distributing cryptocurrency mining trojans or malware downloaders. Some of the most active downloaders on the malware scene today include Emotet (a former banking trojan), Smoke Loader, and the newly launched Kardon Loader.