Proofpoint security researchers have discovered a previously undocumented downloader that appeared in malicious email campaigns targeting hotels, restaurants, and telecommunications entities.
The attacks, attributed to a threat actor tracked as TA555, are leveraging the downloader as a first-stage payload, to load a module performing fingerprinting of the targeted machine. Presumably, once a target of interest has been identified, additional modules are loaded onto the system.
Dubbed AdvisorsBot, the malware was first observed in May 2018. It is written in C and is under active development, Proofpoint says. In fact, the security firm has already observed malware versions completely rewritten in PowerShell and .NET.
The early command and control (C&C) domains used by the malware all contained the word “advisors,” hence the malware’s name.
Initially, the attacks leveraged macros to execute a PowerShell command that would fetch and run AdvisorsBot. In early August, the PowerShell command would download another PowerShell script to execute embedded shellcode that would run the downloader without writing it to disk, while the macro in the latest attacks fetched a PowerShell version of AdvisorsBot directly.
The threat includes anti-analysis features, such as the use of junk code, including extra instructions, conditional statements, and loops, to slow down reverse engineering. The x86 version of the malware contains significantly more junk code, Proofpoint security researchers have discovered.
AdvisorsBot can also detect various analysis tools and checks whether it is running on a virtual machine. More recent malware variants were improved with additional anti-analysis checks, the researchers say.
The threat communicates with the C&C server over HTTPS. The data it sends to the server includes information about the system, such as machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.
Commands from the C&C arrive via GET requests, but the malware only includes support for two commands at the moment. Based on that, it can either load a module or load a shellcode in a thread.
Only the system fingerprinting module was observed being sent from a C&C server. It can take screenshots, extract Microsoft Outlook account details, and run a series of system commands (including systeminfo, ipconfig /all, netstat –f, net view, tasklist, whoami, net group “domain admins” /domain, and dir %USERPROFILE%Desktop).
The most recent AdvisorsBot campaign employed a new version of the malware, rewritten using PowerShell and a .NET DLL embedded inside the PowerShell script. Tracked as PoshAdvisor, the malware is not an exact duplicate of AdvisorsBot, but is highly similar to it.
“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint concludes.
Related: New Encrypted Downloader Delivers Metasploit Backdoor
Related: Kardon Loader Allows Anyone to Build a Distribution Network