Threat Report

Thursday August 23rd 2018

In August 2018, a new variant of malware - KeyPass ransomware - gained traction using new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab say that the trojan is being propagated by means of fake installers that download the ransomware module. The trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

Security researchers at Proofpoint recently discovered a new malware strain dubbed Marap. The malware is being distributed via spam emails containing malicious attachments. Based on the campaign’s pattern, Proofpoint linked it to Necurs. Marap can be used to download other malwares. Bleeping Computer states that Marap infects victims, fingerprints their systems, and sends this information back to a central command and control (C&C) server.

Malware: KeyPass Ransomware

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “!!! KEYPASS_DECRYPTION_INFO!!!.txt” are saved in each processed directory. In just 36 hours — from the evening of August 8 to August 10 — the ransomware cropped up in more than 20 countries. Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa.

For more information there are a few links below:

Latam

Pastebin

Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a malicious .keypass or .txt
  • Intrusion detection systems (IDS) would detect additional payload downloads
  • A solid Backup strategy for easy restore as not to disrupt business operations
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Marap

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it has observed various versions. Researchers have seen campaigns leveraging . IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros. The malware also has basic features to detect virtual machines used for malware analysis though not as complex compare to other malwares.

Threatpost

Essentials

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for communication to the C2 network over http
  • Web filter to block the outgoing http traffic
  • Email filtration to find malicious attachments related to Marap
  • FIM looking for the downloaded .zip file containing a .iqy file or MS word doc with macros
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Stephen Coty

Stephen Coty
Contractor
LinkedIn