Researchers have detected a new modular downloader in large campaigns primarily hitting financial institutions, where it may be planting the seeds for future compromise.

Proofpoint experts first observed multiple large email campaigns, each consisting of millions of messages, earlier this month. They noticed all led to the same "Marap" malware and shared common features with earlier campaigns linked to the threat actor TA505. The emails contained Microsoft Excel Web Query files, password-protected ZIP files containing the Query files, PDFs with embedded Query files, and Word documents containing macros.

Researchers say the modular nature of Marap lets actors add new capabilities or download additional modules after a system is already infected. They have so far seen it download a system fingerprinting module that performs reconnaissance, they write in a blog post.

This malware, the researchers' report continues, is part of a growing trend of small, versatile malware which gives attackers more flexibility to launch attacks and detect systems that could lead to more damaging compromise.

Read more details here.

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.