Threat Report

Thursday August 23, 2018

In August 2018, a new variant of malware - KeyPass ransomware - gained traction using new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab say that the trojan is being propagated by means of fake installers that download the ransomware module. The trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

Security researchers at Proofpoint recently discovered a new malware strain dubbed Marap. The malware is being distributed via spam emails containing malicious attachments. Based on the campaign’s pattern, Proofpoint linked it to Necurs. Marap can be used to download other malwares. Bleeping Computer states that Marap infects victims, fingerprints their systems, and sends this information back to a central command and control (C&C) server.

Malware: KeyPass Ransomware

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “!!! KEYPASS_DECRYPTION_INFO!!!.txt” are saved in each processed directory. In just 36 hours — from the evening of August 8 to August 10 — the ransomware cropped up in more than 20 countries. Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa.

For more information there are a few links below:

Latam

Pastebin

Some Mitigation Strategies:

Malware: Marap

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it has observed various versions. Researchers have seen campaigns leveraging . IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros. The malware also has basic features to detect virtual machines used for malware analysis though not as complex compare to other malwares.

Threatpost

Essentials

Some Mitigation Strategies:

Stephen Coty

Stephen Coty
Contractor
LinkedIn