W97M/Downloader

The distribution campaign for a threat named W97M/Downloader is active for more than a year. The W97M/Downloader, a well designed Microsoft Word document that, when opened by the computer user, runs a corrupted macro, which connects to several remote servers to install other components and open a door for the infamous Dridex and Vawtrak banking Trojans get inside the targeted machine. The W97M/Downloader may enter a computer when its operators visit a compromised website and are prompted to download and execute corrupted documents, which contains a custom PHP dropper that will install W97M/Downloader on their machines or via spam email campaigns. W97M/Downloader can infect Firefox and Chrome processes to inject bad code into visited Web pages, allow the installation of ransomware, collect login data for online banking accounts and sent the information to its Command and Control servers.

The PHP dropper script that installs W97M/Downloader on the infected machine can be found on the 'drwxr-xr-x 6 sandbox staff 204 May 18 11:52 Cust-Document-3501256760' folder. There are reports of W97M/Downloader attacks on the US, United Kingdom, India and Germany.

There are various security measures that computer users need to implant to avoid been infected by W97M/Downloader. One of them, maybe the most effective, is not to enable the macro component within Microsoft Office. Also, an updated security program is fundamental to keep your machine and data safe.