W97M Downloader Serves Vawtrak Malware

McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro.

W97M is a malware family comprising all malicious Office files (rich text, Word, Excel, etc.) that rely on macros containing VB scripts to download and run a specific malware from its control servers. Recently McAfee Labs has seen multiple waves of W97M malware serving malware, especially:

  • Ransomware such as TeslaCrypt and Locky.
  • Banking Trojans such as Dridex.

Vawtrak is a multifunctional malware family with the following capabilities:

  • Stealing FTP passwords from a victim’s system.
  • Stealing certificates from a victim’s system.
  • Stealing credentials and other information via process infection.
  • Malicious code injection in web pages displayed in a browser on a victim’s system.
  • Running arbitrary commands on a victim’s system.

Infection vector and analysis

W97M malware is usually served via malicious email spam campaigns. This instance of W97M, however, is served from compromised websites. These compromised websites might be used with exploit kits or phishing campaigns that trick victims into downloading and running the W97M documents.

Some URLs serving the W97M malware:

  • hxxp://www.excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
  • hxxp://www.ippan.x0.to/wp-content/themes/[masked]/account.doc
  • hxxp://www.newbeginningsari.org.au/wp-content/[masked]/account.doc
  • hxxp://www.sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
  • hxxp://elveland.no/wp-content/themes/[masked]/account.doc
  • hxxp://www.nightaccess.com/themes/[masked]/account.doc
  • hxxp://excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
  • hxxp://nightaccess.com/themes/[masked]/account.doc
  • hxxp://www.paintballandbbthailand.com/modules/[masked]/account.doc
  • hxxp://ippan.x0.to/wp-content/themes/[masked]/account.doc
  • hxxp://www.elveland.no/wp-content/themes/[masked]/account.doc
  • hxxp://paintballandbbthailand.com/modules/[masked]/account.doc
  • hxxp://sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
  • hxxp://www.yacht-energy.fr/wp-content/themes/[masked]/account.doc

The W97M sample appears to have an RSA-encrypted message embedded in its contents. The document asks the victim to “enable content” to view the decrypted contents of the document. This is a standard trick to get the victim to enable the malicious macro, which drops an embedded executable and executes it.

0_word_doc

Contents of a malicious W97M document.

The document contains the malicious .exe embedded inside one of its forms. We have seen other examples of W97M embedding commands in forms but not as in the preceding example, in which the entire .exe is embedded in the document.

1_embedded_MZ_in_form

Embedded .exe in a Visual Basic form.

The malicious macro reads the contents of the form and writes it into an executable in the %temp% directory.

2_VBS_Macro_code_to_drop_run_MZ_oxygon

Malicious macro code in the W97M malware.

Second-stage executable

The executable dropped in the %temp% directory is a VB 6 binary. The code is decrypted at runtime and the malware creates a suspended copy of itself that is injected with the malicious code. This malware is a variant of Pony malware.

The primary functions of the second-stage binary:

  • Steal FTP and other login credentials from known FTP software.
  • Download and run the third-stage binary (Vawtrak).

3_oxygon_FTP_strings

Strings in the second-stage malware indicate the theft of FTP credentials.

Once the second-stage binary has all the credentials it can find, it sends the stolen data to the following control servers:

  • hxxp://tittertte.ru/sliva/gate.php
  • hxxp://tythetru.ru/sliva/gate.php
  • hxxp://rulahat.ru/sliva/gate.php

These domains appear to be under the attacker(s) control:

  • They are registered with the same registrar with registrant information hidden.
  • They were registered on the same dates.
  • They expire on the same dates.

This malware targets the following software for credentials:

  • Far Manager
  • Total Commander
  • Ipswitch WS_FTP
  • CuteFTP
  • FlashFXP
  • FileZilla
  • FTP Navigator
  • Bulletproof FTP
  • Smart FTP
  • Turbo FTP
  • FFFTP
  • FTP++
  • GoFTP
  • Cofeecup FTP
  • CoreFTP
  • FTP explorer
  • LeapFTP
  • WinSCP
  • 32BitFTP
  • ClassicFTP
  • SoftX FTP client
  • UltraFXP
  • FTPRush
  • FTPControl
  • FTPVoyager
  • LeechFTP
  • Estsoft ALFTP
  • DeluxeFTP
  • Staff FTP
  • FTP Visicom Media
  • AceBit WiseFTP
  • FreshFTP
  • BlazeFTP
  • 3D-FTP
  • EasyFTP
  • Winzip FTP
  • WinFTP
  • FTPSurfer
  • FTPGetter
  • FTPNow
  • Robo-FTP 3.7
  • Linas FTP Site Manager
  • Notepad++ FTP
  • Coffeecup ftp profile
  • FTPShell
  • MyFTP
  • NovaFTP
  • Yandex
  • Adobe Common SiteServers
  • Frigate3
  • SecureFX
  • Cryer WebsitePublisher
  • BitKinex
  • ExpanDrive
  • NCH Software Fling
  • Directory Opus
  • NetDrive
  • Webdrive
  • Opera
  • Firefox
  • Firefox FireFTP
  • Mozilla Seamonkey
  • Mozilla Flock
  • Mozilla Profiles
  • SiteInfo.qfp SpeedFTP
  • Chrome login and web data
  • Chromium login and web data
  • Chrome plus login and web data
  • Bromium login and web data
  • Nichrome login and web data
  • Comodo login and web data
  • RockMelt login and web data
  • K-Meleon profile data
  • Epic profile data
  • GlobalDownloader
  • NetSarang
  • RDP
  • CyberDuck
  • Putty
  • MAS Soft FTPInfo
  • NexusFile
  • FastStone Browser FTPlist
  • MapleStudio Chromeplus
  • Windows Live Mail
  • Windows Mail
  • RimArts Mail
  • Pocomail
  • Incredimail
  • BatMail
  • MS Internet Account Manager
  • Thunderbird

Once the second-stage malware has uploaded the stolen credentials to the control server, it downloads the third-stage malware from a different set of control servers and runs it:

  • hxxp://awc.asia/wp-content/themes/[masked]/hsg.exe
  • hxxp://teatromanzonicassino.it/wp-content/themes/[masked]/hsg.exe
  • hxxp://www.bisaim.com/wp-content/themes/[masked]/hsg.exe

Third-stage executable

The third-stage executable is the Vawtrak payload (also a VB 6 binary).

The primary purpose of the binary is to infect other running processes in the system and:

  • Steal security certificates.
  • Infect Chrome and Firefox processes to inject malicious code into browsed web pages.
  • Steal financial login credentials for banks.

Process infection and API hooking

The malware spreads across the system by injecting its code into any process that doesn’t appear on the following whitelist:

  • csrss.exe
  • smss.exe
  • wininit.exe
  • services.exe
  • svchost.exe
  • lsas.exe
  • lsm.exe
  • winlogon.exe
  • dbgview.exe
  • taskhost.exe

The malware also looks for the following processes to establish API hooks:

  • Internet Explorer
    •     HttpEndRequest, HttpOpenRequest, HttpQueryInfo, HttpSendRequest,
    •     InternetConnect, InternetQueryDataAvailable, InternetQueryOption, InternetReadFile.
  • Firefox
    •     PR_Close, PR_Read, PR_Write, PR_Close, etc.
  • Chrome
    •     LoadLibrary, PFXImportCertStore, etc.
  • Other processes
    •     CreateProcessInternal: To infect any new process spawned by this process.
    •     PFXImportCertStore: To steal certificate information from the victim.

4_Vawtrak_Hooks

API hooks established by the third-stage malware.

The malware uploads the stolen data to one of the following control servers:

  • castuning.ru/rss/feed/stream
  • mgsmedia.ru/rss/feed/stream
  • puropea.com/rss/feed/stream
  • futooke.com/rss/feed/stream
  • citroxi.com/rss/feed/stream

Infection chain

The stages of infection are illustrated in the following figure:

4.1_Infection_Chain

Anti-VM measures

Both the second- and third-stage binaries of Vawtrak check the monitor resolution using User32.GetMonitorInfoA to make sure the malware isn’t running in a virtual machine. The malware binaries check to make sure the monitor resolution is greater than 800×600. This technique is employed to thwart some behavior-based detection systems.

5_Monitor_resolution_checks

Vawtrak’s monitor-resolution check.

Conclusion

This W97M malware differs from typical W97M malware due to the embedded binary inside the document. This tactic could be a result of the increased focus in the security community on W97M and the subsequent blacklisting of its control servers. Embedding an .exe in the doc file removes the need to contact a control server to download and execute the second-stage malware.

The encryption mechanisms and the use of VB 6 in both the second and third stages indicate that both instances of the malware share a common codebase, suggesting they could have been written by the same party.

MD5s

W97M samples. These samples are detected by McAfee as “W97M/Dropper.ao.”

  • e56a57acf528b8cd340ae039519d5150
  • 040c51e8c9118cc113c380d530984ba8
  • ef10ea1a8b342dd9f6d1cec46fcd3c0f

Second-stage malware: These samples are detected as “Generic.xy.”

  • 4b7623945d31ecd6ff1ed13f0ba1d6e0

Third-stage malware: These samples are detected as “RDN/Generic.cf” and “Vawtrak-FBB.”

  • 3e631d530267a38e65afc5b012d4ff0c

Yara rule for W97M Vawtrak dropper

rule W97M_Vawtrak_dropper
{
meta:
author=”McAfee”
description=”W97M_Vawtrak_Dropper”

strings:
$asterismal=”asterismal”
$bootlicking=”bootlicking”
$shell=”WScript.Shell”
$temp=”%temp%”
$oxygon=”oxygon.exe”
$saxhorn = “saxhorn”
$fire = “Fire”
$bin= “546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e”

condition:
all of them
}

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top