Marap Downloader
Marap is a newly discovered C-based downloader malware being used in large-scale campaigns by the TA505 advanced persistent threat group.
As with most other TA505-affiliated malware, Marap is being distributed via spam or phishing emails. Depending on the campaign these emails can contain a variety of different attachments including Microsoft Excel files, PDF documents, password-protected ZIP archives containing .iqy files and Microsoft Word documents with malicious macros.
Once installed on a device, Marap will contact a command & control (C2) server before downloading a DLL module to collect system and user information. This is then sent back to the C2 server, at which point TA505 will use Marap to deploy other malware variants for use in secondary infections.
Marap uses HTTP for its C&C communication but first it tries a a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use.
Read the full report here
Indicators of Compromise (IOCs)
| hxxp://i86h[.]com/data1.dat | URL | Remote Excel cell content |
| hxxp://i86h[.]com/data2.dat | URL | Intermediate Powershell script |
| hxxp://i86h[.]com/data3.dat | URL | Payload |
| hxxp://r53x[.]com/1.rar | URL | Remote Excel cell content |
| hxxp://r53x[.]com/1.zip | URL | Intermediate Powershell script |
| hxxp://r53x[.]com/a3.dat | URL | Payload |
| bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5 | SHA256 | Marap |
| hxxp://185.68.93[.]18/dot.php | URL | Marap C&C |
| hxxp://94.103.81[.]71/dot.php | URL | Marap C&C |
| hxxp://89.223.92[.]202/dot.php | URL | Marap C&C |
| Sign.bin | File | Marap’s encrypted configuration file |
| hxxp://89.223.92[.]202/mo.enc | URL | Encrypted Marap system fingerprinting module download URL |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.