Necurs Botnet Now Dispersing Marap Malware

The Necurs botnet is being utilized to transmit huge quantities of spam electronic mails having Marap malware. Marap malware is presently being utilized for reconnaissance and learning about sufferers. The aim seems to be the creation of a system of infected users that can be targeted in future attacks.

The malware generates an exclusive impression for each infected appliance, contacts its C2 server, and transmits information concerning the sufferer’s system to the attackers including username, operating system, language, country, IP address, domain name, hostname, installed anti-virus software, and details of Microsoft Outlook OST files.

The malware has some basic anti-analysis characteristics and can find when it has been installed on a virtual machine and contains measures to obstruct debugging and sandboxing.

Marap malware is modular and can easily be updated with additional modules post-infection to provide increased functionality. It helps as a malware dropper that can be used to provide many different payloads, even though it is presently unclear what those payloads will be.

The malspam campaign was discovered by safety scientists at Proofpoint who say it involves millions of emails. Marap malware is delivered using a range of different electronic mail attachments, with Microsoft Excel Web Query files (IQY) preferred. The messages have iqy files as attachments, or they are incorporated in PDF files and password-protected ZIP files. Standard Microsoft Word documents with malevolent macros are also being transmitted.

The spam campaign includes a range of different electronic mail subjects and messages including sales requests, important banking documents, invoices, and simple electronic mails just containing malevolent PDF files and ZIP file attachments.

Proofpoint notes that there has been a surge in these flexible malware variations in recent months as threat actors move away from ransomware and ‘noisy’ malware that are easy to notice. In its place, downloaders, for example, Marap malware gives attackers the flexibility to introduce a variety of different attacks and carry out a recce to identify systems that deserve a more significant compromise.