AdvisorsBot, a previously undocumented downloader involved in malicious email campaigns

Security researchers at Proofpoint security have discovered a previously undocumented downloader tracked as AdvisorsBot that was involved in malicious email campaigns.

AdvisorsBot was uncovered in malicious email campaigns, attributed to the TA555 threat actor, targeting hotels, restaurants, and telecommunications entities.

The name “AdvisorsBot” comes from the early command and control (C&C) domains that all contained the word “advisors”

The experts attributed the attack to the TA555 threat actor that leverages the downloader as a first-stage payload that downloads a component that gathers information of the infected machine.

The attackers used the downloader as a first-stage payload, to load a module that performs fingerprinting of the targeted machine and likely deliver additional modules onto the systems of interest.

“Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555.” reads the analysis published by Proofpoint. 

“To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads.”

AdvisorsBot was first spotted in May 2018, it is written in C but experts already discovered other versions written in PowerShell and .NET, a circumstance that suggests the code is under active development.

AdvisorsBot implements a number of anti-analysis features, such as the use of junk code (i.e. extra instructions, conditional statements, and loops) with the intent to make very hard the reverse engineering of the malware.

“We can also see two more anti-analysis features in the same screenshots:

  1. Most strings are stored as “stack strings” in which the characters of the string are manually pushed onto stack memory with individual instructions. This makes it more difficult to quickly see the strings the malware uses.
  2. Windows API function hashing, which hinders identification of the malware’s functionality. A Python implementation of the hashing algorithm is available on Github [1].” continues the report.

AdvisorsBot is able to detect analysis and virtualized environments.

In May and June, the campaigns leveraged macros to execute a PowerShell command to fetch and run AdvisorsBot, in most recent attacks the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader directly in the memory. Since August 15, the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.

The communication with the C&C server is over HTTPS, in turn, the C&C sends commands via GET requests. At the time of the analysis, the malware only includes support for two commands, it can either load a module or load a shellcode in a thread.

“At the time of publication we have only observed a system fingerprinting module being sent from a C&C server.” continues the analysis.

“It performs the following activities and sends their output back to the C&C:

  • Takes a screenshot and base64 encodes it
  • Extracts Microsoft Outlook account details
  • Runs the following system commands:
    • systeminfo
    • ipconfig /all
    • netstat -f
    • net view
    • tasklist
    • whoami
    • net group “domain admins” /domain
    • dir %USERPROFILE%\Desktop
    • wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,pathToSignedProductExe”

The latest campaign uncovered by the experts employed a new version of the malware, tracked as PoshAdvisor, that is rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script.

“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – AdvisorsBot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New AT&T data breach exposed call logs of almost all customers

AT&T disclosed a new data breach that exposed phone call and text message records for…

20 hours ago

Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to…

23 hours ago

Palo Alto Networks fixed a critical bug in the Expedition tool

Palo Alto Networks addressed five vulnerabilities impacting its products, including a critical authentication bypass issue. Palo…

1 day ago

Smishing Triad Is Targeting India To Steal Personal and Payment Data at Scale

Resecurity has identified a new campaign by the Smishing Triad that is targeting India to…

1 day ago

October ransomware attack on Dallas County impacted over 200,000 people

The ransomware attack that hit Dallas County in October 2023 has impacted more than 200,000…

2 days ago

CrystalRay operations have scaled 10x to over 1,500 victims

A threat actor known as CrystalRay targeted 1,500 victims since February using tools like SSH-Snake…

2 days ago

This website uses cookies.