W97M.Downloader is a dedicated dropper malware threat that cybercriminals are using as a delivery mechanism for late-stage payloads. The threat is spread via spam email campaigns carrying poisoned specially-crafted Microsoft Word documents. When users attempt to open the file, they trigger a corrupted macro that establishes a connection to multiple remote servers. The goal is to fetch the next-stage payload. According to the findings of cybersecurity researchers, W97M.Downloader has been used to deliver ransomware threats, such as TeslaCrypt, as well as banking Trojans including Vawtrak and Dridex.
In later operations, the cybercriminals established additional infection vectors for W97M.Downloader. More specifically, the malware was being distributed via compromised websites carrying a custom PHP dropper. The corrupted websites lured victims into downloading and then executing a compromised document with W97M inside it. Certain VB (Visual Basic) scripts ensure that the appropriate malware threat is delivered to the compromised device from the control servers.
In addition to its dropper capabilities, W97M.Downloader can infect Chrome and Firefox processes to inject specific corrupted code into the Web pages opened by the target. The attackers also can utilize the malware to harvest sensitive data, such as account credentials for financial and banking applications. All acquired information is then exfiltrated to the Command-and-Control servers of the operation.