Application security, Incident Response, Malware, TDR

W97M/Downloader macro malware grows even more deceptive

McAfee Labs has discovered a new deceptive technique that developers of the Word macro Trojan known as W97M/Downloader are using to avoid detection.

According to an Intel Security/McAfee blog post, researchers found a variant of W97M/Downloader that builds off the already established tactic of hiding itself in Microsoft Office XML documents that contain compressed MSA Active Mime objects, which in turn extract encrypted OLE objects that automatically execute the malicious macro code.

The new variant adds two brand new layers of trickery. First, the “malicious XML document is now hidden in a multipart MIME object distributed as .RTF or .DOC files that arrive via phishing or spam emails,” the blog post explains. Secondly, the code that downloads and executes the final malware payload is not actually located in the macro, but rather in a very small (and thus difficult to spot) TextBox 1 object embedded in a form object. This final payload is a form of Dridex banking malware, which steals users' online banking credentials. Microsoft Office users can help protect themselves by disabling macros, McAfee advises.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.