W97M/Downloader hosted on multiple CMS like Magento, WordPress, and Joomla

• This malware campaign has primarily targeted the United States, Germany, India, and the United Kingdom.
• W97M steals banking login credentials and sends it to .ru websites.

Researchers observed that some instances of the W97M/Downloader malware are now being served in compromised websites by a custom PHP dropper.

The big picture

• The compromised websites include malicious W97M documents which contain VB scripts.
• The websites trick victims into downloading the document (INVOICE-959502-12723.doc), upon which the VB script downloads and executes a specific malware from its C&C server.

“W97M/Downloader is a specially-crafted Microsoft Word document that, when opened, silently executes a malicious macro that connects to multiple remote servers to download and display additional components,” researchers described.

This malware campaign has primarily targeted the United States, Germany, India, and the United Kingdom.

Key highlights

• The downloader malware is hosted on multiples CMS like Magento, WordPress, and Joomla. However, the malicious code is not CMS based.
• W97M is usually distributed via malspam campaigns and infects Chrome or Firefox to inject malicious code into browsers.
• This malware also steals banking login credentials and sends it to .ru websites.
• W97M has also been serving as a bridge to ransomware such as TeslaCrypt as well as Banking Trojans such as Dridex and Vawtrak, which are part of Zeus malware family.

How to stay protected?

• Security experts recommend users not to enable the macro functionality within Microsoft Office.
• Researchers also request users to avoid opening emails and attachments sent by unknown parties.