McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro.
W97M is a malware family comprising all malicious Office files (rich text, Word, Excel, etc.) that rely on macros containing VB scripts to download and run a specific malware from its control servers. Recently McAfee Labs has seen multiple waves of W97M malware serving malware, especially:
- Ransomware such as TeslaCrypt and Locky.
- Banking Trojans such as Dridex.
Vawtrak is a multifunctional malware family with the following capabilities:
- Stealing FTP passwords from a victim’s system.
- Stealing certificates from a victim’s system.
- Stealing credentials and other information via process infection.
- Malicious code injection in web pages displayed in a browser on a victim’s system.
- Running arbitrary commands on a victim’s system.
Infection vector and analysis
W97M malware is usually served via malicious email spam campaigns. This instance of W97M, however, is served from compromised websites. These compromised websites might be used with exploit kits or phishing campaigns that trick victims into downloading and running the W97M documents.
Some URLs serving the W97M malware:
The W97M sample appears to have an RSA-encrypted message embedded in its contents. The document asks the victim to “enable content” to view the decrypted contents of the document. This is a standard trick to get the victim to enable the malicious macro, which drops an embedded executable and executes it.
Contents of a malicious W97M document.
The document contains the malicious .exe embedded inside one of its forms. We have seen other examples of W97M embedding commands in forms but not as in the preceding example, in which the entire .exe is embedded in the document.
Embedded .exe in a Visual Basic form.
The malicious macro reads the contents of the form and writes it into an executable in the %temp% directory.
Malicious macro code in the W97M malware.
The executable dropped in the %temp% directory is a VB 6 binary. The code is decrypted at runtime and the malware creates a suspended copy of itself that is injected with the malicious code. This malware is a variant of Pony malware.
The primary functions of the second-stage binary:
- Steal FTP and other login credentials from known FTP software.
- Download and run the third-stage binary (Vawtrak).
Strings in the second-stage malware indicate the theft of FTP credentials.
Once the second-stage binary has all the credentials it can find, it sends the stolen data to the following control servers:
These domains appear to be under the attacker(s) control:
- They are registered with the same registrar with registrant information hidden.
- They were registered on the same dates.
- They expire on the same dates.
This malware targets the following software for credentials:
- Far Manager
- Total Commander
- Ipswitch WS_FTP
- FTP Navigator
- Bulletproof FTP
- Smart FTP
- Turbo FTP
- Cofeecup FTP
- FTP explorer
- SoftX FTP client
- Estsoft ALFTP
- Staff FTP
- FTP Visicom Media
- AceBit WiseFTP
- Winzip FTP
- Robo-FTP 3.7
- Linas FTP Site Manager
- Notepad++ FTP
- Coffeecup ftp profile
- Adobe Common SiteServers
- Cryer WebsitePublisher
- NCH Software Fling
- Directory Opus
- Firefox FireFTP
- Mozilla Seamonkey
- Mozilla Flock
- Mozilla Profiles
- SiteInfo.qfp SpeedFTP
- Chrome login and web data
- Chromium login and web data
- Chrome plus login and web data
- Bromium login and web data
- Nichrome login and web data
- Comodo login and web data
- RockMelt login and web data
- K-Meleon profile data
- Epic profile data
- MAS Soft FTPInfo
- FastStone Browser FTPlist
- MapleStudio Chromeplus
- Windows Live Mail
- Windows Mail
- RimArts Mail
- MS Internet Account Manager
Once the second-stage malware has uploaded the stolen credentials to the control server, it downloads the third-stage malware from a different set of control servers and runs it:
The third-stage executable is the Vawtrak payload (also a VB 6 binary).
The primary purpose of the binary is to infect other running processes in the system and:
- Steal security certificates.
- Infect Chrome and Firefox processes to inject malicious code into browsed web pages.
- Steal financial login credentials for banks.
Process infection and API hooking
The malware spreads across the system by injecting its code into any process that doesn’t appear on the following whitelist:
The malware also looks for the following processes to establish API hooks:
- Internet Explorer
- HttpEndRequest, HttpOpenRequest, HttpQueryInfo, HttpSendRequest,
- InternetConnect, InternetQueryDataAvailable, InternetQueryOption, InternetReadFile.
- PR_Close, PR_Read, PR_Write, PR_Close, etc.
- LoadLibrary, PFXImportCertStore, etc.
- Other processes
- CreateProcessInternal: To infect any new process spawned by this process.
- PFXImportCertStore: To steal certificate information from the victim.
API hooks established by the third-stage malware.
The malware uploads the stolen data to one of the following control servers:
The stages of infection are illustrated in the following figure:
Both the second- and third-stage binaries of Vawtrak check the monitor resolution using User32.GetMonitorInfoA to make sure the malware isn’t running in a virtual machine. The malware binaries check to make sure the monitor resolution is greater than 800×600. This technique is employed to thwart some behavior-based detection systems.
Vawtrak’s monitor-resolution check.
This W97M malware differs from typical W97M malware due to the embedded binary inside the document. This tactic could be a result of the increased focus in the security community on W97M and the subsequent blacklisting of its control servers. Embedding an .exe in the doc file removes the need to contact a control server to download and execute the second-stage malware.
The encryption mechanisms and the use of VB 6 in both the second and third stages indicate that both instances of the malware share a common codebase, suggesting they could have been written by the same party.
W97M samples. These samples are detected by McAfee as “W97M/Dropper.ao.”
Second-stage malware: These samples are detected as “Generic.xy.”
Third-stage malware: These samples are detected as “RDN/Generic.cf” and “Vawtrak-FBB.”
Yara rule for W97M Vawtrak dropper
$saxhorn = “saxhorn”
$fire = “Fire”
all of them