Application security, Incident Response, Malware, TDR

W97M/Downloader macro malware grows even more deceptive

McAfee Labs has discovered a new deceptive technique that developers of the Word macro Trojan known as W97M/Downloader are using to avoid detection.

According to an Intel Security/McAfee blog post, researchers found a variant of W97M/Downloader that builds off the already established tactic of hiding itself in Microsoft Office XML documents that contain compressed MSA Active Mime objects, which in turn extract encrypted OLE objects that automatically execute the malicious macro code.

The new variant adds two brand new layers of trickery. First, the “malicious XML document is now hidden in a multipart MIME object distributed as .RTF or .DOC files that arrive via phishing or spam emails,” the blog post explains. Secondly, the code that downloads and executes the final malware payload is not actually located in the macro, but rather in a very small (and thus difficult to spot) TextBox 1 object embedded in a form object. This final payload is a form of Dridex banking malware, which steals users' online banking credentials. Microsoft Office users can help protect themselves by disabling macros, McAfee advises.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

You can skip this ad in 5 seconds