Researchers discovered a new downloader, dubbed AdvisorsBot, as part of an attack campaign that uses malicious emails to target companies in the telecommunications and hospitality industries.

First observed by Proofpoint in May 2018, AdvisorsBot is a previously undocumented downloader that’s now appearing as part of a phishing campaign crafted specifically to compromise telecommunications companies, restaurants and hotels. According to Proofpoint, the campaign is likely the work of a threat actor known as TA555, who uses this malware as a first-stage payload.

While AdvisorsBot is modular and contains command-and-control (C&C) capabilities, Proofpoint has only observed the malware actively sending fingerprint module data — which it uses to identify potential targets — back to the C&C. Over the past four months, three separate AdvisorsBot variations have been used in attack campaigns; the latest iteration included an entirely PowerShell version of the malware.

Malicious Emails Highly Targeted to Specific Industries

Key to the success of this malware campaign is the use of malicious emails designed to elicit a response from targets. Restaurants receive messages about food poisoning with attached doctors’ reports, for example, while hotels are targeted with emails about double service charges with attached credit statements. Telecommunications companies, meanwhile, receive job application emails with resumes or CV attachments.

If users open these malicious attachments and enable Microsoft Word macros, AdvisorsBot downloads, fingerprints the system for potential interest to attackers and then sends this data to the C&C server. The result is an increased risk of phishing success with emails that go the extra mile to appear legitimate.

Another concern around AdvisorsBot is ongoing development. As noted by Proofpoint, the malware is “under active development and we have also further observed another version of the malware completely rewritten in PowerShell and .NET.” In May and June, for example, the malicious documents contained PowerShell scripts to download AdvisorsBot. On Aug. 8, the macro was modified to include a PowerShell command that downloaded another PowerShell script before downloading the malware.

In addition, AdvisorsBot uses junk code and Windows application programming interface (API) function hashing to evade security analysis. This continual evolution means that successfully countering one version of AdvisorsBot may not ensure defense against the next.

How to Avoid AdvisorsBot

According to the IBM X-Force Exchange advisory for this threat, security teams should block specific IPs (162.244.32.148 and 185.180.198.56) associated with AdvisorsBot, along with URLs such as investments-advisors.bid, interactive-investments.bid and real-estate-advisors.win.

IBM experts also recommend adopting a layered approach to email security that includes spam control and monitoring, external mail scanning, perimeter protection, and training for end users to avoid common phishing attack techniques — such as the highly targeted malicious emails that precede AdvisorsBot infections.

Source: Proofpoint

More from

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…