In recent weeks, McAfee Labs has seen a rise in the W97MDownloader malware, which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex, whose appearances have increased significantly during this period. The following chart shows the recent trend for the family:
This threat is a malicious macro that comes into users’ systems through a spam email and a Microsoft Word file, which leads to downloading and running the malware on the victim’s machine. Whenever a user tries to open the malicious doc file, Word should show a security notification asking whether the user wants to enable macros. If enabled, this threat will execute.
One difference in this variant of W97MDownloader is that it clears the contents in the Word document after the macro is enabled. It also generally downloads its payload in the %temp% folder.
The spam email may look like this:
This threat shows that attackers have not forgotten the classic exploitation technique of tricking users into enabling Office macros to execute malicious code.
The infection chain starts with the spammed email. The email is carefully designed to lure users and seems legitimate. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system. They download further malware.
The following figure shows a .doc file with embedded macro posing as a fax:
If email recipients open the document, they first see junk data with a request to enable the macro–in spite of the security warning to not trust its content. The doc file has a random name, for example:
Upon execution, this malware drops the following files:
The downloaded files are:
- %Temp%\444.exe (for Windows XP and earlier)
- %User Temp%\444.exe (for Windows Vista and later)
Extracting the Macro
This document contains three embedded macros. The details of the extracted macros follow:
Let’s take a look some of this malware’s evasion efforts. The first two lines use some classic obfuscation.
- BART212 = “” & “d-up” + “date”
- BART2 = Chr (97) + Chr (100) & “” & “o” & “” & “b” & “e” + “ac” & BART212
Splitting a variable is typical for evading scanners searching for keywords and other suspicious activities such as downloading a file. The Chr function returns a string containing the character associated with the specified character code. For example, Chr (97) is the letter a and Chr (100) is the letter d.
After removing the breaks and making the substitutions, we see a meaningful string:
BART2 = “adobeacd-update”
Opening the document file with macros enabled runs the dropped batch file, which in turn runs the .vbs file, which immediately downloads other malware–such as malware families Upatre, Vawtrak, and Chanitor– from the remote server.
The malware connects to the control server “https:/xx.xxx.254.213/us/file.jpg” and downloads the payload, which appears to be a .jpg file but is really a malicious .exe file.
Here’s a look at the traffic:
We have also seen this threat download a clean PNG image file and save it with a random file name, for example %temp%\savepic.su\5123965.png.
We are seeing lot of malware propagating through this infection vector. It’s always a good idea to pay attention to system security messages. Don’t ignore a suggestion to be careful.
McAfee products detect this threat and its payloads as:
- Generic-FAWE! [partial hash]
- Backdoor-FCMU! [partial hash]
I would like to thank my colleague Lenart Brave for his help with this analysis.