Necurs Botnet Now Distributing Marap Malware

The Necurs botnet is being used to send huge quantities of spam emails containing Marap malware. Marap malware is currently being used for reconnaissance and learning about victims. The aim appears to be the creation of a network of infected users that can be targeted in future attacks.

The malware creates a unique fingerprint for each infected device, contacts its C2 server, and sends information about the victim’s system to the attackers including username, domain name, hostname, IP address, country, language, operating system, installed anti-virus software, and details of Microsoft Outlook OST files.

The malware contains some rudimentary anti-analysis features and can detect when it has been installed on a virtual machine and includes measures to hamper debugging and sandboxing.

Marap malware is modular and can easily be updated with additional modules post-infection to provide enhanced functionality. It serves as a malware dropper that can be used to deliver various different payloads, although it is currently unclear what those payloads will be.

The malspam campaign was detected by security researchers at Proofpoint who say it involves millions of messages. Marap malware is delivered using a variety of different email attachments, with Microsoft Excel Web Query files (IQY) favored. The messages contain iqy files as attachments, or they are included in PDF files and password-protected ZIP files. Standard Microsoft Word documents with malicious macros are also being sent.

The spam campaign includes a variety of different email subjects and messages including sales requests, important banking documents, invoices, and simple emails just containing malicious PDF files and ZIP file attachments.

Proofpoint notes that there has been an increase in these flexible malware variants in recent months as threat actors move away from ransomware and ‘noisy’ malware that are easy to detect. Instead, downloaders such as Marap malware gives attackers the flexibility to launch a range of different attacks and conduct a recce to identify systems that warrant a more significant compromise.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of