Connect with us

Hi, what are you looking for?



AdvisorsBot Malware Downloader Discovered

Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.

Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.

The attacks, attributed to a threat actor tracked as TA555, are leveraging the downloader as a first-stage payload, to load a module performing fingerprinting of the targeted machine. Presumably, once a target of interest has been identified, additional modules are loaded onto the system.

Dubbed AdvisorsBot, the malware was first observed in May 2018. It is written in C and is under active development, Proofpoint says. In fact, the security firm has already observed malware versions completely rewritten in PowerShell and .NET.

The early command and control (C&C) domains used by the malware all contained the word “advisors,” hence the malware’s name.

Initially, the attacks leveraged macros to execute a PowerShell command that would fetch and run AdvisorsBot. In early August, the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader without writing it to disk, while the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.

The threat includes anti-analysis features, such as the use of junk code, including extra instructions, conditional statements, and loops, to slow down reverse engineering. The x86 version of the malware contains significantly more junk code, Proofpoint security researchers have discovered.

AdvisorsBot can also detect various analysis tools and checks whether it is running on a virtual machine. More recent malware variants were improved with additional anti-analysis checks, the researchers say.

Advertisement. Scroll to continue reading.

The threat communicates with the C&C server over HTTPS. The data it sends to the server includes information about the system, such as machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.

Commands from the C&C arrive via GET requests, but the malware only includes support for two commands at the moment. Based on that, it can either load a module or load a shellcode in a thread.

Only the system fingerprinting module was observed being sent from a C&C server. It can take screenshots, extract Microsoft Outlook account details, and run a series of system commands (including systeminfo, ipconfig /all, netstat –f, net view, tasklist, whoami, net group “domain admins” /domain, and dir %USERPROFILE%Desktop).

The most recent AdvisorsBot campaign employed a new version of the malware, rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script. Tracked as PoshAdvisor, the malware is not an exact duplicate of AdvisorsBot, but is highly similar to it.

“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.

Related: New Encrypted Downloader Delivers Metasploit Backdoor

Related: Kardon Loader Allows Anyone to Build a Distribution Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...