Escolar Documentos
Profissional Documentos
Cultura Documentos
W97MDownloaderServesVawtrakMalwareMcAfee
Home
McAfee Labs
SearchBlogs
Consumer
Overview
Consumer Threat
Notices
Family Safety
Identity Protection
Mobile Security
Business
McAfee Labs
Overview
Corporate Responsibility
24
Share
37
Tweet
Executive Perspectives
1/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
avictims system.
Running arbitrary commands on a victims system.
Infection vector and analysis
W97M malware is usually served via malicious email spam
campaigns. This instance of W97M, however, is served from
compromised websites. These compromised websites might be
used with exploit kits or phishing campaigns thattrick victims into
downloading and running the W97M documents.
Some URLs serving the W97M malware:
hxxp://www.excel-dougakaisetu.com/wordpress/wpcontent/plugins/[masked]/account.doc
hxxp://www.ippan.x0.to/wpcontent/themes/[masked]/account.doc
hxxp://www.newbeginningsari.org.au/wpcontent/[masked]/account.doc
hxxp://www.sternschule-uelzen.de/wpcontent/plugins/[masked]/account.doc
hxxp://elveland.no/wp-content/themes/[masked]/account.doc
hxxp://www.nightaccess.com/themes/[masked]/account.doc
hxxp://excel-dougakaisetu.com/wordpress/wpcontent/plugins/[masked]/account.doc
hxxp://nightaccess.com/themes/[masked]/account.doc
hxxp://www.paintballandbbthailand.com/modules/[masked]/account.doc
hxxp://ippan.x0.to/wp-content/themes/[masked]/account.doc
hxxp://www.elveland.no/wpcontent/themes/[masked]/account.doc
hxxp://paintballandbbthailand.com/modules/[masked]/account.doc
hxxp://sternschule-uelzen.de/wpcontent/plugins/[masked]/account.doc
hxxp://www.yacht-energy.fr/wpcontent/themes/[masked]/account.doc
The W97M sample appears to have an RSA-encrypted message
embedded in its contents. The document asks the victim to enable
content to view the decrypted contents of the document. This is a
standard trick to get the victim to enable the malicious macro, which
drops an embedded executable and executes it.
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
2/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
3/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
4/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
5/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
FlashFXP
FileZilla
FTP Navigator
Bulletproof FTP
Smart FTP
Turbo FTP
FFFTP
FTP++
GoFTP
Cofeecup FTP
CoreFTP
FTP explorer
LeapFTP
WinSCP
32BitFTP
ClassicFTP
SoftX FTP client
UltraFXP
FTPRush
FTPControl
FTPVoyager
LeechFTP
Estsoft ALFTP
DeluxeFTP
Staff FTP
FTP Visicom Media
AceBit WiseFTP
FreshFTP
BlazeFTP
3D-FTP
EasyFTP
Winzip FTP
WinFTP
FTPSurfer
FTPGetter
FTPNow
Robo-FTP 3.7
Linas FTP Site Manager
Notepad++ FTP
Coffeecup ftp profile
FTPShell
MyFTP
NovaFTP
Yandex
Adobe Common SiteServers
Frigate3
SecureFX
Cryer WebsitePublisher
BitKinex
ExpanDrive
NCH Software Fling
Directory Opus
NetDrive
Webdrive
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
6/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
Webdrive
Opera
Firefox
Firefox FireFTP
Mozilla Seamonkey
Mozilla Flock
Mozilla Profiles
SiteInfo.qfp SpeedFTP
Chrome login and web data
Chromium login and web data
Chrome plus login and web data
Bromium login and web data
Nichrome login and web data
Comodo login and web data
RockMelt login and web data
K-Meleon profile data
Epic profile data
GlobalDownloader
NetSarang
RDP
CyberDuck
Putty
MAS Soft FTPInfo
NexusFile
FastStone Browser FTPlist
MapleStudio Chromeplus
Windows Live Mail
Windows Mail
RimArts Mail
Pocomail
Incredimail
BatMail
MS Internet Account Manager
Thunderbird
Once the second-stage malware has uploaded the stolen
credentials to the controlserver, it downloads the third-stage
malware from a different set of controlservers and runs it:
hxxp://awc.asia/wp-content/themes/[masked]/hsg.exe
hxxp://teatromanzonicassino.it/wpcontent/themes/[masked]/hsg.exe
hxxp://www.bisaim.com/wp-content/themes/[masked]/hsg.exe
Third-stage executable
The third-stage executable is the Vawtrak payload (also a VB 6
binary).
The primary purpose of the binary is to infect other running
processes in the system and:
Steal security certificates.
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
7/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
8/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
Anti-VM measures
Both the second-and third-stage binaries of Vawtrak check the
monitor resolution using User32.GetMonitorInfoA to make sure the
malware isnt running in a virtual machine. The malware binaries
check to make sure the monitor resolution is greater than 800600.
This technique is employed to thwart some behavior-based
detection systems.
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
9/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
10/12
3/29/2016
W97MDownloaderServesVawtrakMalwareMcAfee
$shell=WScript.Shell
$temp=%temp%
$oxygon=oxygon.exe
$saxhorn = saxhorn
$fire = Fire
$bin=
546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e
condition:
all of them
}
24
Share
37
Tweet
No Comments
LeaveaReply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
https://blogs.mcafee.com/mcafeelabs/w97mdownloaderservingvawtrak/
11/12