3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Home
McAfee Labs
SearchBlogs

Consumer
Overview
Consumer Threat

McAfee Labs Blog

Notices
Family Safety
Identity Protection
Mobile Security
Business

McAfee Labs

Overview

W97M Downloader Serves

Vawtrak Malware

Corporate Responsibility

By Asheer Malhotra on Mar 22, 2016

Like

24

Share

37

Intel Security Channels

Security Connected
SMB

Tweet

Email

Executive Perspectives

McAfee Labs recently found a variant of the W97M macro malware

downloader that runs the Vawtrak malware. Although W97M usually
employs Microsoft Office documents to run malicious Visual Basic
scripts that download and run malware, this instance of W97M
contains an embedded executable that is dropped onto the file
system using a malicious macro.
W97M is a malware family comprising all malicious Office files (rich
text, Word, Excel, etc.) that rely on macros containing VB scripts to
download and run a specific malware from its control servers.
Recently McAfee Labs has seen multiple waves of W97M malware
serving malware, especially:
Ransomware such as TeslaCrypt and Locky.
Banking Trojans such as Dridex.
Vawtrak is a multifunctional malware family with the following
capabilities:
Stealing FTP passwords from avictims system.
Stealing certificates from avictims system.
Stealing credentials and other information via process infection.
Malicious code injection in web pages displayed in a browser on
avictims system.
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

1/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

avictims system.
Running arbitrary commands on a victims system.
Infection vector and analysis
W97M malware is usually served via malicious email spam
campaigns. This instance of W97M, however, is served from
compromised websites. These compromised websites might be
used with exploit kits or phishing campaigns thattrick victims into
downloading and running the W97M documents.
Some URLs serving the W97M malware:
hxxp://www.excel-dougakaisetu.com/wordpress/wpcontent/plugins/[masked]/account.doc
hxxp://www.ippan.x0.to/wpcontent/themes/[masked]/account.doc
hxxp://www.newbeginningsari.org.au/wpcontent/[masked]/account.doc
hxxp://www.sternschule-uelzen.de/wpcontent/plugins/[masked]/account.doc
hxxp://elveland.no/wp-content/themes/[masked]/account.doc
hxxp://www.nightaccess.com/themes/[masked]/account.doc
hxxp://excel-dougakaisetu.com/wordpress/wpcontent/plugins/[masked]/account.doc
hxxp://nightaccess.com/themes/[masked]/account.doc
hxxp://www.paintballandbbthailand.com/modules/[masked]/account.doc
hxxp://ippan.x0.to/wp-content/themes/[masked]/account.doc
hxxp://www.elveland.no/wpcontent/themes/[masked]/account.doc
hxxp://paintballandbbthailand.com/modules/[masked]/account.doc
hxxp://sternschule-uelzen.de/wpcontent/plugins/[masked]/account.doc
hxxp://www.yacht-energy.fr/wpcontent/themes/[masked]/account.doc
The W97M sample appears to have an RSA-encrypted message
embedded in its contents. The document asks the victim to enable
content to view the decrypted contents of the document. This is a
standard trick to get the victim to enable the malicious macro, which
drops an embedded executable and executes it.

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

2/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Contents of a malicious W97M document.

The document contains the malicious .exe embedded inside one of
its forms. We have seen other examples of W97M embedding
commands in forms but not as in the preceding example, in which
the entire .exe is embedded in the document.

Embedded .exe in a Visual Basic form.

The malicious macro reads the contents of the form and writes it
into an executable in the %temp% directory.

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

3/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Malicious macro code in the W97M malware.

Second-stage executable
The executable dropped in the %temp% directory is a VB 6 binary.
The code is decrypted at runtime and the malware creates a
suspended copy of itself that is injected with the malicious code.
This malware is a variant of Pony malware.
The primary functions of the second-stage binary:
Steal FTP and other login credentials from known FTP software.
Download and run the third-stage binary (Vawtrak).

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

4/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Strings in the second-stage malware indicate the theft of FTP

credentials.
Once the second-stage binary has all the credentials it canfind, it
sendsthe stolen data to the following control servers:
hxxp://tittertte.ru/sliva/gate.php
hxxp://tythetru.ru/sliva/gate.php
hxxp://rulahat.ru/sliva/gate.php
These domains appear to be under the attacker(s) control:
They are registered with the same registrar with registrant
information hidden.
They were registered on the same dates.
They expire on the same dates.
This malware targets the following software for credentials:
Far Manager
Total Commander
Ipswitch WS_FTP
CuteFTP
FlashFXP
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

5/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

FlashFXP
FileZilla
FTP Navigator
Bulletproof FTP
Smart FTP
Turbo FTP
FFFTP
FTP++
GoFTP
Cofeecup FTP
CoreFTP
FTP explorer
LeapFTP
WinSCP
32BitFTP
ClassicFTP
SoftX FTP client
UltraFXP
FTPRush
FTPControl
FTPVoyager
LeechFTP
Estsoft ALFTP
DeluxeFTP
Staff FTP
FTP Visicom Media
AceBit WiseFTP
FreshFTP
BlazeFTP
3D-FTP
EasyFTP
Winzip FTP
WinFTP
FTPSurfer
FTPGetter
FTPNow
Robo-FTP 3.7
Linas FTP Site Manager
Notepad++ FTP
Coffeecup ftp profile
FTPShell
MyFTP
NovaFTP
Yandex
Adobe Common SiteServers
Frigate3
SecureFX
Cryer WebsitePublisher
BitKinex
ExpanDrive
NCH Software Fling
Directory Opus
NetDrive
Webdrive
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

6/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Webdrive
Opera
Firefox
Firefox FireFTP
Mozilla Seamonkey
Mozilla Flock
Mozilla Profiles
SiteInfo.qfp SpeedFTP
Chrome login and web data
Chromium login and web data
Chrome plus login and web data
Bromium login and web data
Nichrome login and web data
Comodo login and web data
RockMelt login and web data
K-Meleon profile data
Epic profile data
GlobalDownloader
NetSarang
RDP
CyberDuck
Putty
MAS Soft FTPInfo
NexusFile
FastStone Browser FTPlist
MapleStudio Chromeplus
Windows Live Mail
Windows Mail
RimArts Mail
Pocomail
Incredimail
BatMail
MS Internet Account Manager
Thunderbird
Once the second-stage malware has uploaded the stolen
credentials to the controlserver, it downloads the third-stage
malware from a different set of controlservers and runs it:
hxxp://awc.asia/wp-content/themes/[masked]/hsg.exe
hxxp://teatromanzonicassino.it/wpcontent/themes/[masked]/hsg.exe
hxxp://www.bisaim.com/wp-content/themes/[masked]/hsg.exe
Third-stage executable
The third-stage executable is the Vawtrak payload (also a VB 6
binary).
The primary purpose of the binary is to infect other running
processes in the system and:
Steal security certificates.
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

7/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Steal security certificates.

Infect Chrome and Firefox processes to inject malicious code
into browsed web pages.
Steal financial login credentials for banks.
Process infection and API hooking
The malware spreads across the system by injecting its code into
any process that doesnt appear on the following whitelist:
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
dbgview.exe
taskhost.exe
The malware also looks for the following processes to establish API
hooks:
Internet Explorer
HttpEndRequest, HttpOpenRequest, HttpQueryInfo,
HttpSendRequest,
InternetConnect, InternetQueryDataAvailable,
InternetQueryOption, InternetReadFile.
Firefox
PR_Close, PR_Read, PR_Write, PR_Close, etc.
Chrome
LoadLibrary, PFXImportCertStore, etc.
Other processes
CreateProcessInternal: To infect any new process spawned by
this process.
PFXImportCertStore: To steal certificate information from the
victim.

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

8/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

API hooks established by the third-stage malware.

The malware uploads the stolen data to one of the following control
servers:
castuning.ru/rss/feed/stream
mgsmedia.ru/rss/feed/stream
puropea.com/rss/feed/stream
futooke.com/rss/feed/stream
citroxi.com/rss/feed/stream
Infection chain
The stages ofinfection areillustrated in the following figure:

Anti-VM measures
Both the second-and third-stage binaries of Vawtrak check the
monitor resolution using User32.GetMonitorInfoA to make sure the
malware isnt running in a virtual machine. The malware binaries
check to make sure the monitor resolution is greater than 800600.
This technique is employed to thwart some behavior-based
detection systems.

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

9/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

Vawtraks monitor-resolution check.

Conclusion
This W97M malware differs from typical W97M malware due to the
embedded binary inside the document. This tactic could be a result
of the increased focus in the security community on W97M and the
subsequent blacklisting of its controlservers. Embedding an .exe in
the doc file removes the need to contact a control server to
download and execute the second-stage malware.
The encryption mechanisms and the use of VB 6 in both the second
and thirdstages indicate that both instances of the malware share a
common codebase, suggesting they could have been written by the
same party.
MD5s
W97M samples. These samples are detected by Intel Security as
W97M/Dropper.ao.
e56a57acf528b8cd340ae039519d5150
040c51e8c9118cc113c380d530984ba8
ef10ea1a8b342dd9f6d1cec46fcd3c0f
Second-stage malware: These samples are detected as Generic.xy.
4b7623945d31ecd6ff1ed13f0ba1d6e0
Third-stage malware: These samples are detected as
RDN/Generic.cf and Vawtrak-FBB.
3e631d530267a38e65afc5b012d4ff0c
Yara rule for W97M Vawtrak dropper
rule W97M_Vawtrak_dropper
{
meta:
author=Intel Security
description=W97M_Vawtrak_Dropper
strings:
$asterismal=asterismal
$bootlicking=bootlicking
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

10/12

3/29/2016

W97MDownloaderServesVawtrakMalwareMcAfee

$shell=WScript.Shell
$temp=%temp%
$oxygon=oxygon.exe
$saxhorn = saxhorn
$fire = Fire
$bin=
546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e
condition:
all of them
}

Tags: computer security, cybercrime, cybersecurity, endpoint protection, identity

theft, malware
Like

24

Share

37

Tweet

Email

No Comments

LeaveaReply
Your email address will not be published. Required fields are marked *
Comment

Name *

Email *

Website

https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/

11/12