Researchers have discovered a new downloader, called AdvisorsBot, as part of an attack campaign aimed at telecom and hospitality companies
AdvisorsBot is a downloader recently discovered by ethical hacking experts that is being used as part of a phishing campaign specifically targeted to compromise telecom companies, restaurants and hotels. According to the investigators, this campaign might be linked to the malicious actor known as TA555, which uses this malware as a first-stage payload.
While AdvisorsBot is modular and contains command and control features (C&C), it has only been observed that malware actively sends fingerprint modules data, which it uses to identify potential victims, back to the C&C. In the last four months, ethical hacking specialists have identified three different variants of AdvisorsBot in attack campaigns; the latest version included a PowerShell version of the malware.
Malicious emails specifically crafted to attack certain industries
The secret to the success of this malware campaign is the use of malicious emails designed to get early response from the victims. For example, restaurants receive messages about food poisoning with attached reports of supposed doctors, while hotels receive messages about double service charges with accompanying credit statements. On the other hand, telecomm companies receive job applications with attached CVs.
If users interact with these files and enable Microsoft Word macros, AdvisorsBot downloads, fingerprints, and sends this data to the C&C server. This results in a greater range of success from a phishing attack with emails that make an extra effort to look legit.
Another concern around AdvisorsBot is the continuous development that it shows. As noted by specialists in ethical hacking, malware is in active development and you can also find versions of malware rewritten in PowerShell. In May and June, for example, documents attached to malicious mail contained PowerShell scripts to download AdvisorsBot. On August 8, the macro was modified to include a PowerShell command that downloaded another PowerShell script before downloading the malware.
In addition, AdvisorsBot uses unwanted code and the Windows API hashing function to evade the security scan. This continuous evolution means that successfully countering a version of AdvisorsBot does not ensure that we are safe from the next version of the malware.
AdvisorsBot Attack Prevention
Specialists in ethical hacking from the International Institute of Cyber Security recommend to the security teams of the companies to block certain IPs associated with AdvisorsBot (in specific 162.244.32.148 and 185.180.198.56), in addition to URLs like investments-advisors.idb, interactive-investments.idb, and real-estate-advisors.win.
Experts also recommend adopting an e-mail security approach that includes spam monitoring and control, external mail scanning, perimeter protection, and awareness-raising for end users so that they can identify possible phishing threats that end up with a AdvisorsBot infection.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.