AdvisorsBot Malware Utilized in Targeted Attacks on Restaurants and Hotels

August 30, 2018

 

Security scientists at Proofpoint have found a new malware danger that is being used in directed attacks on restaurants, hotels, and telecoms companies. AdvisorsBot malware, so called since its C&C servers comprise the word advisors, was first noticed in May 2018 in a range of spam electronic mail promotions.

AdvisorsBot malware is under development even though the existing form of the malware has been used in several attacks all over the world, even though the majority of those attacks have been carried out in the United States. The spam campaigns are thought to be carried out by a threat actor known to Proofpoint scientists as TA555.

AdvisorsBot isn’t linked to Marap malware, even though it operates in a similar way in that the malware is a first-stage payload which is utilized to fingerprint the sufferer and identify whether the aim is of interest and worthwhile of a more broad compromise. Proofpoint notices that these malware variations are two instances of a rising tendency of extremely versatile modular malware that can be utilized in a range of different strikes.

AdvisorsBot malware is written in C, even though another type of the malware has been recognized that have been written using PowerShell with a .NET DLL in the PowerShell script. This type of the malware, which has been called PoshAdvisor, and runs in the memory without writing any data to the disk.

The scientists note that these malware variations have several anti-analysis characteristics and can identify a range of different malware analysis tools and can decide if they are running on a virtual machine. If on a VM or malware analysis tools are noticed, the malware exits.

The spam electronic mails used to provide the malware comprise a Word attachment with a macro that, if permitted to run, performs a PowerShell command that downloads a PowerShell script that performs inserted shellcode that runs AdvisorsBot.

Three different electronic mail lures have been found, each of which aims a particular industry sector. Although the campaign seems to be targeted, electronic mails have been sent to targets unconnected to the content of the electronic mails which indicates a more haphazard distribution of the electronic mails.

Hotels are being aimed with a message that asserts to have been sent by one who has earlier remained at the hotel and has been charged two times for the stay. The electronic mail attachment seems to be a bank statement displaying the double charge.

The electronic mails aiming restaurants claim that the sender of the electronic mail visited the restaurant and experienced complicated, dangerous food poisoning. The electronic mail attachment has details of disease and the opinion of a doctor, together with a warning of legal action.

The electronic mails aiming telecoms companies claim to be a resume sent in a speculative application for work.