AdvisorsBot Malware Utilized in Targeted Attacks on Restaurants and Hotels

August 30, 2018


Safety scientists at Proofpoint have noticed a new malware danger that is being utilized in targeted attacks on restaurants, hotels, and telecoms companies. AdvisorsBot malware, so named since its C&C servers have the word counselors, was first noticed in May 2018 in a range of spam electronic mail campaigns.

AdvisorsBot malware is under development even though the present form of the malware has been utilized in several attacks all over the globe, even though the majority of those attacks have been carried out in the United States. The spam campaigns are supposed to be carried out by a threat actor known to Proofpoint scientists as TA555.

AdvisorsBot isn’t linked to Marap malware, even though it operates in a similar way in that the malware is a first-stage payload which is utilized to fingerprint the sufferer and ascertain whether the target is of interest and worthy of a more broad compromise. Proofpoint notices that these malware variations are two instances of a growing tendency of highly versatile modular malware that can be utilized in a range of different attacks.

AdvisorsBot malware is written in C, even though another type of the malware has been recognized that has been written using PowerShell with a .NET DLL inside the PowerShell script. This type of the malware, which has been titled PoshAdvisor, and runs in the memory without writing any data to the disk.

The scientists note that these malware variations have several anti-analysis characteristics and can identify a range of different malware analysis tools and can decide if they are running on a virtual machine. If on a VM or malware analysis tools are noticed, the malware exists.

The spam electronic mails utilized to provide the malware contain a Word attachment with a macro that, if permitted to run, performs a PowerShell order that downloads a PowerShell script that executes inserted shellcode that runs AdvisorsBot.

Three different electronic mail traps have been identified, each of which aims a particular industry sector. While the campaign seems to be aimed, electronic mails have been delivered to targets unconnected to the content of the electronic mails which indicates a more random distribution of the electronic mails.

Hotels are being aimed with a message that claims to have been transmitted by a person who has earlier lodged at the hotel and has been charged two times for the stay. The electronic mail attachment seems to be a bank statement displaying the double charge.

The electronic mails aiming restaurants assert that the sender of the electronic mail visited the restaurant and experienced difficult, extreme food poisoning. The electronic mail attachment has details of illness and the view of a doctor, together with a threat of legal action.

The electronic mails aiming telecoms companies claim to be a resume sent in a speculative application for a job.