The iso attachment contains an executable, the malware itself. Moreover, it exploits the exe (in English) of an international campaign.
Proofpoint cyber security researchers have discovered a new malware, that targets the Financial sector: Marap. It has been used by the TA505 cybercrime group, behind many of the Dridex campaigns in 2015 and that introduced Locky ransomware in 2016
Proofpoint cyber security researchers have discovered a new malware, that targets the Financial sector: Marap. They found it, as a modular downloader, in large campaigns primarily hitting financial institutions. As they reported, it has different functions that includes the ability to download other modules and payloads. The modular nature allows actors to add new capabilities as they become available or download additional modules post infection. The malware is written in C and contains a few notable anti-analysis features. To date, the cyber experts observed it download a system fingerprinting module that performs simple reconnaissance. The malicious group, behind those new cyber attacks is believed to be “TA505”. It’s a cybercrime gang among the most prolific financially motivated actors. The hackers distributed massive malicious spam campaigns bearing diverse payloads ranging from Jaff ransomware to The Trick banking Trojan. TA505 was behind many of the Dridex campaigns that plagued organizations in 2015 and introduced Locky ransomware in 2016.
The Proofpoint conclusions on the new malware
The Proofpoint conclusions on the Marap malware are that “as defenses become more adept at catching commodity malware, threat actors and malware authors continue to explore new approaches to increase effectiveness and decrease the footprint and inherent ‘noisiness’ of the malware they distribute. We have observed ransomware distribution drop dramatically this year while banking Trojans, downloaders, and other malware have moved to fill the void, increasing opportunities for threat actors to establish persistence on devices and networks. This new downloader – the company blog reported – along with another similar but unrelated malware that we will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise”.