Hotels, restaurants, and telecommunications companies are being focused on with a new spam email campaign that sends a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many strains of malware, is being shared using spam emails including Microsoft Word attachments with malicious macros.
Clicking on an infected email attachment and allowing macros on the document will see Advisorsbot installed. Advisorsbot’s main role is to perform fingerprinting on an infected device. Information will be obtained on the infected device is then communicated to the threat actors’ command and control servers and additional instructions are given to the malware based on the information gathered on the system. The malware records system data, details of programs downloaded to the device, Office account details, and other data. It is also able to take screenshots on an infected device.
AdvisorsBot malware is so labelled because the early samples of the malware that were first discovered in May 2018 contacted command and control servers that included the word advisors.
The spam email campaign is mainly being aimed on targets in the United States, although infections have been detected worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.
Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and allow macros. The emails shared to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants shares emails which claim that the sender has suffered food poisoning after eating in a particular location, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.
AdvisorsBot is developed in C, but a second form of the malware has also been discovered that is written in .NET and PowerShell. The second variant has been given the title PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.
These malware threats are still under development and are the standard type see among many recent malware threats which have a wide variety of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is ideally suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.
The best method of security against this campaign is the use of an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to train them how to respond when such a threat arrives in their inbox.