Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

AdvisorsBot Malware Downloader Discovered

Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.

Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.

The attacks, attributed to a threat actor tracked as TA555, are leveraging the downloader as a first-stage payload, to load a module performing fingerprinting of the targeted machine. Presumably, once a target of interest has been identified, additional modules are loaded onto the system.

Dubbed AdvisorsBot, the malware was first observed in May 2018. It is written in C and is under active development, Proofpoint says. In fact, the security firm has already observed malware versions completely rewritten in PowerShell and .NET.

The early command and control (C&C) domains used by the malware all contained the word “advisors,” hence the malware’s name.

Initially, the attacks leveraged macros to execute a PowerShell command that would fetch and run AdvisorsBot. In early August, the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader without writing it to disk, while the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.

The threat includes anti-analysis features, such as the use of junk code, including extra instructions, conditional statements, and loops, to slow down reverse engineering. The x86 version of the malware contains significantly more junk code, Proofpoint security researchers have discovered.

AdvisorsBot can also detect various analysis tools and checks whether it is running on a virtual machine. More recent malware variants were improved with additional anti-analysis checks, the researchers say.

The threat communicates with the C&C server over HTTPS. The data it sends to the server includes information about the system, such as machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.

Advertisement. Scroll to continue reading.

Commands from the C&C arrive via GET requests, but the malware only includes support for two commands at the moment. Based on that, it can either load a module or load a shellcode in a thread.

Only the system fingerprinting module was observed being sent from a C&C server. It can take screenshots, extract Microsoft Outlook account details, and run a series of system commands (including systeminfo, ipconfig /all, netstat –f, net view, tasklist, whoami, net group “domain admins” /domain, and dir %USERPROFILE%Desktop).

The most recent AdvisorsBot campaign employed a new version of the malware, rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script. Tracked as PoshAdvisor, the malware is not an exact duplicate of AdvisorsBot, but is highly similar to it.

“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.

Related: New Encrypted Downloader Delivers Metasploit Backdoor

Related: Kardon Loader Allows Anyone to Build a Distribution Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.