W97M.Downloader Malware

W97M.Downloader is the designation given to a piece of malicious software that was actively distributed in a campaign spreading banking malware that was most active in early 2016.

The malware in question comprised a document that has been tailor-made for the purposes of the threat actor. It was a Microsoft Office document file that was macro-enabled. This means that upon opening the file, it requests user permission to execute the macro scripts contained in it. Allowing macro execution leads to the script connecting to remote servers and grabbing files from them.

Even though it has been a while since the W97M malware had its heyday, researchers have spotted a resurgence in its use. The malware dropper has been found on several content management services platforms. The dropper was also used as a "bridge" to ultimately deliver different ransomware strains and banking ransomware variants belonging to the Zeus family.

W97M is also being spread using malicious spam email campaigns and has the ability to burrow into the processes of Chrome and Firefox, injecting malicious code inside pages accessed by the browser.

Somewhat worryingly, according to a research team with Sucuri, the better part of anti-malware applications cannot detect the PHP dropped code used by W97M.

June 22, 2022