Marap Downloader

Marap is a newly discovered C-based downloader malware being used in large-scale campaigns by the TA505 advanced persistent threat group.

As with most other TA505-affiliated malware, Marap is being distributed via spam or phishing emails. Depending on the campaign these emails can contain a variety of different attachments including Microsoft Excel files, PDF documents, password-protected ZIP archives containing .iqy files and Microsoft Word documents with malicious macros.

Once installed on a device, Marap will contact a command & control (C2) server before downloading a DLL module to collect system and user information. This is then sent back to the C2 server, at which point TA505 will use Marap to deploy other malware variants for use in secondary infections.

Marap uses HTTP for its C&C communication but first it tries a a number of legitimate WinHTTP functions to determine whether it needs to use a proxy and if so what proxy to use.

Read the full report here

Indicators of Compromise (IOCs)

hxxp://i86h[.]com/data1.dat URL Remote Excel cell content
hxxp://i86h[.]com/data2.dat URL Intermediate Powershell script
hxxp://i86h[.]com/data3.dat URL Payload
hxxp://r53x[.]com/1.rar URL Remote Excel cell content
hxxp://r53x[.]com/1.zip URL Intermediate Powershell script
hxxp://r53x[.]com/a3.dat URL Payload
bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5 SHA256 Marap
hxxp://185.68.93[.]18/dot.php URL Marap C&C
hxxp://94.103.81[.]71/dot.php URL Marap C&C
hxxp://89.223.92[.]202/dot.php URL Marap C&C
Sign.bin File Marap’s encrypted configuration file
hxxp://89.223.92[.]202/mo.enc URL Encrypted Marap system fingerprinting module download URL




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: