Marap is a Trojan-Downloader that was discovered in August 2018. The Marap malware received a lot of attention due to the implementation of advanced anti-analysis techniques observed in lab conditions. The Marap malware is designed to enable threat actors to drop other programs on infected hosts and facilitate various attacks and exploits. The Marap downloader may be injected in systems through spam emails that urge users to download Microsoft Excel Web Query (.IQY) files; password-protected ZIP archives of IQY objects; PDF documents with embedded '.iqy' files and macro-enabled Microsoft Word documents. The phishing emails loaded with Marap were styled to look as sales promotions, notices from a respected bank and invoices from seemingly legitimate services.
The payload is saved to the Temp directory in an encrypted format, and a script loads the malware in the system memory. Researchers found several interesting anti-debugging and anti-analysis techniques while investigating Marap. The malware authors implemented a feature called 'API-hashing' where Windows API function calls are determined at runtime via a hashing algorithm. Deeper code analysis revealed that the malware performs riming checks for certain functions and may obstruct debugging attempts. Also, Marap has limited VM-detection capabilities and compares the infected host's MAC address to a list of virtual machine vendors and, if one is matched, Marap autodestructs. The cyber threat is using standard HTTP traffic to exchange messages with the 'Command and Control' servers. Researchers noted that Marap reports the following statistics to its masters;
Default keyboard layout
Installed AV product
Computer security experts alert that Marap has a module structure and can be expanded easily to support DDoS attacks, record keystrokes and serve as a proxy for the Web traffic of threat actors. Don't forget that Trojan-Downloaders like Marap might drop a CPU/GPU mining application to the infected devices and earn a decent revenue over time. The Marap malware strings are obfuscated with an XOR cipher and a few other techniques, which may contribute to the low-detection ratio. PC users are encouraged to avoid spam emails and run security scans regularly with an up-to-date cybersecurity application. Detection names that AVs use for Marap include the following:
Trojan ( 0053a2c0