{"id":48541,"date":"2016-03-22T17:32:49","date_gmt":"2016-03-23T00:32:49","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=48541"},"modified":"2025-06-08T19:20:30","modified_gmt":"2025-06-09T02:20:30","slug":"w97m-downloader-serving-vawtrak","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/","title":{"rendered":"W97M Downloader Serves Vawtrak Malware"},"content":{"rendered":"<p>McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro.<\/p>\n<p>W97M is a malware family comprising all malicious Office files (rich text, Word, Excel, etc.) that rely on macros containing VB scripts to download and run a specific malware from its control servers. Recently McAfee Labs has seen multiple waves of W97M malware serving malware, especially:<\/p>\n<ul>\n<li>Ransomware such as TeslaCrypt and Locky.<\/li>\n<li>Banking Trojans such as Dridex.<\/li>\n<\/ul>\n<p>Vawtrak is a multifunctional malware family with the following capabilities:<\/p>\n<ul>\n<li>Stealing FTP passwords from a\u00a0victim\u2019s system.<\/li>\n<li>Stealing certificates from a\u00a0victim\u2019s system.<\/li>\n<li>Stealing credentials and other information via process infection.<\/li>\n<li>Malicious code injection in web pages displayed in a browser on a\u00a0victim\u2019s system.<\/li>\n<li>Running arbitrary commands on a victim\u2019s system.<\/li>\n<\/ul>\n<h2><strong>Infection vector and analysis<\/strong><\/h2>\n<p>W97M malware is usually served via malicious email spam campaigns. This instance of W97M, however, is served from compromised websites. These compromised websites might be used with exploit kits or phishing campaigns that\u00a0trick victims into downloading and running the W97M documents.<\/p>\n<p>Some URLs serving the W97M malware:<\/p>\n<ul>\n<li>hxxp:\/\/www.excel-dougakaisetu.com\/wordpress\/wp-content\/plugins\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.ippan.x0.to\/wp-content\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.newbeginningsari.org.au\/wp-content\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.sternschule-uelzen.de\/wp-content\/plugins\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/elveland.no\/wp-content\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.nightaccess.com\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/excel-dougakaisetu.com\/wordpress\/wp-content\/plugins\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/nightaccess.com\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.paintballandbbthailand.com\/modules\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/ippan.x0.to\/wp-content\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.elveland.no\/wp-content\/themes\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/paintballandbbthailand.com\/modules\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/sternschule-uelzen.de\/wp-content\/plugins\/[masked]\/account.doc<\/li>\n<li>hxxp:\/\/www.yacht-energy.fr\/wp-content\/themes\/[masked]\/account.doc<\/li>\n<\/ul>\n<p>The W97M sample appears to have an RSA-encrypted message embedded in its contents. The document asks the victim to \u201cenable content\u201d to view the decrypted contents of the document. This is a standard trick to get the victim to enable the malicious macro, which drops an embedded executable and executes it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-48545\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png\" alt=\"0_word_doc\" width=\"1152\" height=\"822\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc.png 1152w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc-300x214.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc-768x548.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc-1024x731.png 1024w\" sizes=\"auto, (max-width: 1152px) 100vw, 1152px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Contents of a malicious W97M document.<\/em><\/p>\n<p>The document contains the malicious .exe embedded inside one of its forms. <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/macro-malware-associated-dridex-finds-new-ways-hide\/\">We have seen other examples <\/a>of W97M embedding commands in forms but not as in the preceding example, in which the entire .exe is embedded in the document.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-48546\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1_embedded_MZ_in_form.png\" alt=\"1_embedded_MZ_in_form\" width=\"866\" height=\"382\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1_embedded_MZ_in_form.png 866w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1_embedded_MZ_in_form-300x132.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1_embedded_MZ_in_form-768x339.png 768w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Embedded .exe in a Visual Basic form.<\/em><\/p>\n<p>The malicious macro reads the contents of the form and writes it into an executable in the %temp% directory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-48547 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2_VBS_Macro_code_to_drop_run_MZ_oxygon-1024x730.png\" alt=\"2_VBS_Macro_code_to_drop_run_MZ_oxygon\" width=\"1024\" height=\"730\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2_VBS_Macro_code_to_drop_run_MZ_oxygon-1024x730.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2_VBS_Macro_code_to_drop_run_MZ_oxygon-300x214.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2_VBS_Macro_code_to_drop_run_MZ_oxygon-768x547.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2_VBS_Macro_code_to_drop_run_MZ_oxygon.png 1152w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Malicious macro code in the W97M malware.<\/em><\/p>\n<h2><strong>Second-stage executable<\/strong><\/h2>\n<p>The executable dropped in the %temp% directory is a VB 6 binary. The code is decrypted at runtime and the malware creates a suspended copy of itself that is injected with the malicious code. This malware is a variant of Pony malware.<\/p>\n<p>The primary functions of the second-stage binary:<\/p>\n<ul>\n<li>Steal FTP and other login credentials from known FTP software.<\/li>\n<li>Download and run the third-stage binary (Vawtrak).<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-48548\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/3_oxygon_FTP_strings.png\" alt=\"3_oxygon_FTP_strings\" width=\"685\" height=\"788\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3_oxygon_FTP_strings.png 685w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3_oxygon_FTP_strings-261x300.png 261w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Strings in the second-stage malware indicate the theft of FTP credentials.<\/em><\/p>\n<p>Once the second-stage binary has all the credentials it can\u00a0find, it sends\u00a0the stolen data to the following control servers:<\/p>\n<ul>\n<li>hxxp:\/\/tittertte.ru\/sliva\/gate.php<\/li>\n<li>hxxp:\/\/tythetru.ru\/sliva\/gate.php<\/li>\n<li>hxxp:\/\/rulahat.ru\/sliva\/gate.php<\/li>\n<\/ul>\n<p>These domains appear to be under the attacker(s) control:<\/p>\n<ul>\n<li>They are registered with the same registrar with registrant information hidden.<\/li>\n<li>They were registered on the same dates.<\/li>\n<li>They expire on the same dates.<\/li>\n<\/ul>\n<p>This malware targets the following software for credentials:<\/p>\n<ul>\n<li>Far Manager<\/li>\n<li>Total Commander<\/li>\n<li>Ipswitch WS_FTP<\/li>\n<li>CuteFTP<\/li>\n<li>FlashFXP<\/li>\n<li>FileZilla<\/li>\n<li>FTP Navigator<\/li>\n<li>Bulletproof FTP<\/li>\n<li>Smart FTP<\/li>\n<li>Turbo FTP<\/li>\n<li>FFFTP<\/li>\n<li>FTP++<\/li>\n<li>GoFTP<\/li>\n<li>Cofeecup FTP<\/li>\n<li>CoreFTP<\/li>\n<li>FTP explorer<\/li>\n<li>LeapFTP<\/li>\n<li>WinSCP<\/li>\n<li>32BitFTP<\/li>\n<li>ClassicFTP<\/li>\n<li>SoftX FTP client<\/li>\n<li>UltraFXP<\/li>\n<li>FTPRush<\/li>\n<li>FTPControl<\/li>\n<li>FTPVoyager<\/li>\n<li>LeechFTP<\/li>\n<li>Estsoft ALFTP<\/li>\n<li>DeluxeFTP<\/li>\n<li>Staff FTP<\/li>\n<li>FTP Visicom Media<\/li>\n<li>AceBit WiseFTP<\/li>\n<li>FreshFTP<\/li>\n<li>BlazeFTP<\/li>\n<li>3D-FTP<\/li>\n<li>EasyFTP<\/li>\n<li>Winzip FTP<\/li>\n<li>WinFTP<\/li>\n<li>FTPSurfer<\/li>\n<li>FTPGetter<\/li>\n<li>FTPNow<\/li>\n<li>Robo-FTP 3.7<\/li>\n<li>Linas FTP Site Manager<\/li>\n<li>Notepad++ FTP<\/li>\n<li>Coffeecup ftp profile<\/li>\n<li>FTPShell<\/li>\n<li>MyFTP<\/li>\n<li>NovaFTP<\/li>\n<li>Yandex<\/li>\n<li>Adobe Common SiteServers<\/li>\n<li>Frigate3<\/li>\n<li>SecureFX<\/li>\n<li>Cryer WebsitePublisher<\/li>\n<li>BitKinex<\/li>\n<li>ExpanDrive<\/li>\n<li>NCH Software Fling<\/li>\n<li>Directory Opus<\/li>\n<li>NetDrive<\/li>\n<li>Webdrive<\/li>\n<li>Opera<\/li>\n<li>Firefox<\/li>\n<li>Firefox FireFTP<\/li>\n<li>Mozilla Seamonkey<\/li>\n<li>Mozilla Flock<\/li>\n<li>Mozilla Profiles<\/li>\n<li>SiteInfo.qfp SpeedFTP<\/li>\n<li>Chrome login and web data<\/li>\n<li>Chromium login and web data<\/li>\n<li>Chrome plus login and web data<\/li>\n<li>Bromium login and web data<\/li>\n<li>Nichrome login and web data<\/li>\n<li>Comodo login and web data<\/li>\n<li>RockMelt login and web data<\/li>\n<li>K-Meleon profile data<\/li>\n<li>Epic profile data<\/li>\n<li>GlobalDownloader<\/li>\n<li>NetSarang<\/li>\n<li>RDP<\/li>\n<li>CyberDuck<\/li>\n<li>Putty<\/li>\n<li>MAS Soft FTPInfo<\/li>\n<li>NexusFile<\/li>\n<li>FastStone Browser FTPlist<\/li>\n<li>MapleStudio Chromeplus<\/li>\n<li>Windows Live Mail<\/li>\n<li>Windows Mail<\/li>\n<li>RimArts Mail<\/li>\n<li>Pocomail<\/li>\n<li>Incredimail<\/li>\n<li>BatMail<\/li>\n<li>MS Internet Account Manager<\/li>\n<li>Thunderbird<\/li>\n<\/ul>\n<p>Once the second-stage malware has uploaded the stolen credentials to the control\u00a0server, it downloads the third-stage malware from a different set of control\u00a0servers and runs it:<\/p>\n<ul>\n<li>hxxp:\/\/awc.asia\/wp-content\/themes\/[masked]\/hsg.exe<\/li>\n<li>hxxp:\/\/teatromanzonicassino.it\/wp-content\/themes\/[masked]\/hsg.exe<\/li>\n<li>hxxp:\/\/www.bisaim.com\/wp-content\/themes\/[masked]\/hsg.exe<\/li>\n<\/ul>\n<p><strong>Third-stage executable<\/strong><\/p>\n<p>The third-stage executable is the Vawtrak payload (also a VB 6 binary).<\/p>\n<p>The primary purpose of the binary is to infect other running processes in the system and:<\/p>\n<ul>\n<li>Steal security certificates.<\/li>\n<li>Infect Chrome and Firefox processes to inject malicious code into browsed web pages.<\/li>\n<li>Steal financial login credentials for banks.<\/li>\n<\/ul>\n<p><strong>Process infection and API hooking<\/strong><\/p>\n<p>The malware spreads across the system by injecting its code into any process that doesn\u2019t appear on the following whitelist:<\/p>\n<ul>\n<li>csrss.exe<\/li>\n<li>smss.exe<\/li>\n<li>wininit.exe<\/li>\n<li>services.exe<\/li>\n<li>svchost.exe<\/li>\n<li>lsas.exe<\/li>\n<li>lsm.exe<\/li>\n<li>winlogon.exe<\/li>\n<li>dbgview.exe<\/li>\n<li>taskhost.exe<\/li>\n<\/ul>\n<p>The malware also looks for the following processes to establish API hooks:<\/p>\n<ul>\n<li>Internet Explorer\n<ul>\n<li>\u00a0\u00a0\u00a0\u00a0HttpEndRequest, HttpOpenRequest, HttpQueryInfo, HttpSendRequest,<\/li>\n<li>\u00a0 \u00a0 InternetConnect, InternetQueryDataAvailable, InternetQueryOption, InternetReadFile.<\/li>\n<\/ul>\n<\/li>\n<li>Firefox\n<ul>\n<li>\u00a0\u00a0\u00a0\u00a0PR_Close, PR_Read, PR_Write, PR_Close, etc.<\/li>\n<\/ul>\n<\/li>\n<li>Chrome\n<ul>\n<li>\u00a0\u00a0\u00a0\u00a0LoadLibrary, PFXImportCertStore, etc.<\/li>\n<\/ul>\n<\/li>\n<li>Other processes\n<ul>\n<li>\u00a0\u00a0\u00a0\u00a0CreateProcessInternal: To infect any new process spawned by this process.<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0PFXImportCertStore: To steal certificate information from the victim.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-48549 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4_Vawtrak_Hooks-1024x599.png\" alt=\"4_Vawtrak_Hooks\" width=\"1024\" height=\"599\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4_Vawtrak_Hooks-1024x599.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4_Vawtrak_Hooks-300x176.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4_Vawtrak_Hooks-768x450.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4_Vawtrak_Hooks.png 1553w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\"><em>API hooks established by the third-stage malware.<\/em><\/p>\n<p>The malware uploads the stolen data to one of the following control servers:<\/p>\n<ul>\n<li>castuning.ru\/rss\/feed\/stream<\/li>\n<li>mgsmedia.ru\/rss\/feed\/stream<\/li>\n<li>puropea.com\/rss\/feed\/stream<\/li>\n<li>futooke.com\/rss\/feed\/stream<\/li>\n<li>citroxi.com\/rss\/feed\/stream<\/li>\n<\/ul>\n<h2><strong>Infection chain<\/strong><\/h2>\n<p>The stages of\u00a0infection are\u00a0illustrated in the following figure:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-48550 size-large\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4.1_Infection_Chain-1024x317.png\" alt=\"4.1_Infection_Chain\" width=\"1024\" height=\"317\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4.1_Infection_Chain-1024x317.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4.1_Infection_Chain-300x93.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4.1_Infection_Chain-768x238.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4.1_Infection_Chain.png 1270w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><strong>Anti-VM measures<\/strong><\/p>\n<p>Both the second-\u00a0and third-stage binaries of Vawtrak check the monitor resolution using User32.GetMonitorInfoA to make sure the malware isn\u2019t running in a virtual machine. The malware binaries check to make sure the monitor resolution is greater than 800&#215;600. This technique is employed to thwart some behavior-based detection systems.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-48551\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/5_Monitor_resolution_checks.png\" alt=\"5_Monitor_resolution_checks\" width=\"1208\" height=\"160\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5_Monitor_resolution_checks.png 1208w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5_Monitor_resolution_checks-300x40.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5_Monitor_resolution_checks-768x102.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5_Monitor_resolution_checks-1024x136.png 1024w\" sizes=\"auto, (max-width: 1208px) 100vw, 1208px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Vawtrak&#8217;s monitor-resolution check.<\/em><\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>This W97M malware differs from typical W97M malware due to the embedded binary inside the document. This tactic could be a result of the increased focus in the security community on W97M and the subsequent blacklisting of its control\u00a0servers. Embedding an .exe in the doc file removes the need to contact a control server to download and execute the second-stage malware.<\/p>\n<p>The encryption mechanisms and the use of VB 6 in both the second and third\u00a0stages indicate that both instances of the malware share a common codebase, suggesting they could have been written by the same party.<\/p>\n<p><strong>MD5s<\/strong><\/p>\n<p>W97M samples. These samples are detected by McAfee as \u201cW97M\/Dropper.ao.\u201d<\/p>\n<ul>\n<li>e56a57acf528b8cd340ae039519d5150<\/li>\n<li>040c51e8c9118cc113c380d530984ba8<\/li>\n<li>ef10ea1a8b342dd9f6d1cec46fcd3c0f<\/li>\n<\/ul>\n<p>Second-stage malware: These samples are detected as \u201cGeneric.xy.\u201d<\/p>\n<ul>\n<li>4b7623945d31ecd6ff1ed13f0ba1d6e0<\/li>\n<\/ul>\n<p>Third-stage malware: These samples are detected as \u201cRDN\/Generic.cf\u201d and \u201cVawtrak-FBB.\u201d<\/p>\n<ul>\n<li>3e631d530267a38e65afc5b012d4ff0c<\/li>\n<\/ul>\n<p><strong>Yara rule for W97M Vawtrak dropper<\/strong><\/p>\n<p>rule W97M_Vawtrak_dropper<br \/>\n{<br \/>\nmeta:<br \/>\nauthor=&#8221;McAfee&#8221;<br \/>\ndescription=&#8221;W97M_Vawtrak_Dropper&#8221;<\/p>\n<p>strings:<br \/>\n$asterismal=&#8221;asterismal&#8221;<br \/>\n$bootlicking=&#8221;bootlicking&#8221;<br \/>\n$shell=&#8221;WScript.Shell&#8221;<br \/>\n$temp=&#8221;%temp%&#8221;<br \/>\n$oxygon=&#8221;oxygon.exe&#8221;<br \/>\n$saxhorn = &#8220;saxhorn&#8221;<br \/>\n$fire = &#8220;Fire&#8221;<br \/>\n$bin= &#8220;546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e&#8221;<\/p>\n<p>condition:<br \/>\nall of them<br \/>\n}<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually&#8230;<\/p>\n","protected":false},"author":807,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,4452,338,142,180],"coauthors":[4607],"class_list":["post-48541","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-cybersecurity","tag-endpoint-protection","tag-tag-identity-theft","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>W97M Downloader Serves Vawtrak Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"W97M Downloader Serves Vawtrak Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-03-23T00:32:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T02:20:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1152\" \/>\n\t<meta property=\"og:image:height\" content=\"822\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Asheer Malhotra\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Asheer Malhotra\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\"},\"author\":{\"name\":\"Asheer Malhotra\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/066cf1359f16ae518cecdc64508d8288\"},\"headline\":\"W97M Downloader Serves Vawtrak Malware\",\"datePublished\":\"2016-03-23T00:32:49+00:00\",\"dateModified\":\"2025-06-09T02:20:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\"},\"wordCount\":1375,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"cybersecurity\",\"endpoint protection\",\"identity theft\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\",\"name\":\"W97M Downloader Serves Vawtrak Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png\",\"datePublished\":\"2016-03-23T00:32:49+00:00\",\"dateModified\":\"2025-06-09T02:20:30+00:00\",\"description\":\"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"W97M Downloader Serves Vawtrak Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/066cf1359f16ae518cecdc64508d8288\",\"name\":\"Asheer Malhotra\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e78078f1b329a169c8bbda9ddf3944da\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/asheer-malhotra-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/asheer-malhotra-96x96.jpg\",\"caption\":\"Asheer Malhotra\"},\"description\":\"Asheer is a Security Researcher at McAfee. He is actively involved in reverse engineering, malware analysis and network traffic analysis.\",\"sameAs\":[\"http:\/\/www.linkedin.com\/in\/asheermalhotra\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/asheer-malhotra\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"W97M Downloader Serves Vawtrak Malware | McAfee Blog","description":"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"W97M Downloader Serves Vawtrak Malware | McAfee Blog","og_description":"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-03-23T00:32:49+00:00","article_modified_time":"2025-06-09T02:20:30+00:00","og_image":[{"width":1152,"height":822,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/0_word_doc.png","type":"image\/png"}],"author":"Asheer Malhotra","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Asheer Malhotra","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/"},"author":{"name":"Asheer Malhotra","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/066cf1359f16ae518cecdc64508d8288"},"headline":"W97M Downloader Serves Vawtrak Malware","datePublished":"2016-03-23T00:32:49+00:00","dateModified":"2025-06-09T02:20:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/"},"wordCount":1375,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png","keywords":["computer security","cybercrime","cybersecurity","endpoint protection","identity theft","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/","name":"W97M Downloader Serves Vawtrak Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png","datePublished":"2016-03-23T00:32:49+00:00","dateModified":"2025-06-09T02:20:30+00:00","description":"McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/0_word_doc.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/w97m-downloader-serving-vawtrak\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"W97M Downloader Serves Vawtrak Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/066cf1359f16ae518cecdc64508d8288","name":"Asheer Malhotra","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e78078f1b329a169c8bbda9ddf3944da","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/asheer-malhotra-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/asheer-malhotra-96x96.jpg","caption":"Asheer Malhotra"},"description":"Asheer is a Security Researcher at McAfee. He is actively involved in reverse engineering, malware analysis and network traffic analysis.","sameAs":["http:\/\/www.linkedin.com\/in\/asheermalhotra"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/asheer-malhotra\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/48541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/807"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=48541"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/48541\/revisions"}],"predecessor-version":[{"id":215281,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/48541\/revisions\/215281"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=48541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=48541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=48541"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=48541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}