Security researchers at Proofpoint security have discovered a previously undocumented downloader tracked as AdvisorsBot that was involved in malicious email campaigns.
AdvisorsBot was uncovered in malicious email campaigns, attributed to the TA555 threat actor, targeting hotels, restaurants, and telecommunications entities.
The name “AdvisorsBot” comes from the early command and control (C&C) domains that all contained the word “advisors”
The experts attributed the attack to the TA555 threat actor that leverages the downloader as a first-stage payload that downloads a component that gathers information of the infected machine.
The attackers used the downloader as a first-stage payload, to load a module that performs fingerprinting of the targeted machine and likely deliver additional modules onto the systems of interest.
“Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555.” reads the analysis published by Proofpoint.
“To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads.”
AdvisorsBot was first spotted in May 2018, it is written in C but experts already discovered other versions written in PowerShell and .NET, a circumstance that suggests the code is under active development.
AdvisorsBot implements a number of anti-analysis features, such as the use of junk code (i.e. extra instructions, conditional statements, and loops) with the intent to make very hard the reverse engineering of the malware.
“We can also see two more anti-analysis features in the same screenshots:
- Most strings are stored as “stack strings” in which the characters of the string are manually pushed onto stack memory with individual instructions. This makes it more difficult to quickly see the strings the malware uses.
- Windows API function hashing, which hinders identification of the malware’s functionality. A Python implementation of the hashing algorithm is available on Github .” continues the report.
AdvisorsBot is able to detect analysis and virtualized environments.
In May and June, the campaigns leveraged macros to execute a PowerShell command to fetch and run AdvisorsBot, in most recent attacks the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader directly in the memory. Since August 15, the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.
The communication with the C&C server is over HTTPS, in turn, the C&C sends commands via GET requests. At the time of the analysis, the malware only includes support for two commands, it can either load a module or load a shellcode in a thread.
“At the time of publication we have only observed a system fingerprinting module being sent from a C&C server.” continues the analysis.
“It performs the following activities and sends their output back to the C&C:
- Takes a screenshot and base64 encodes it
- Extracts Microsoft Outlook account details
- Runs the following system commands:
- ipconfig /all
- netstat -f
- net view
- net group “domain admins” /domain
- dir %USERPROFILE%\Desktop
- wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,pathToSignedProductExe”
The latest campaign uncovered by the experts employed a new version of the malware, tracked as PoshAdvisor, that is rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script.
“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.
|[adrotate banner=”9″]||[adrotate banner=”12″]|