Malicious emails use AdvisorsBot to compromise attacked companies

Share this…

Researchers have discovered a new downloader, called AdvisorsBot, as part of an attack campaign aimed at telecom and hospitality companies

AdvisorsBot is a downloader recently discovered by ethical hacking experts that is being used as part of a phishing campaign specifically targeted to compromise telecom companies, restaurants and hotels. According to the investigators, this campaign might be linked to the malicious actor known as TA555, which uses this malware as a first-stage payload.

While AdvisorsBot is modular and contains command and control features (C&C), it has only been observed that malware actively sends fingerprint modules data, which it uses to identify potential victims, back to the C&C. In the last four months, ethical hacking specialists have identified three different variants of AdvisorsBot in attack campaigns; the latest version included a PowerShell version of the malware.

Malicious emails specifically crafted to attack certain industries

The secret to the success of this malware campaign is the use of malicious emails designed to get early response from the victims. For example, restaurants receive messages about food poisoning with attached reports of supposed doctors, while hotels receive messages about double service charges with accompanying credit statements. On the other hand, telecomm companies receive job applications with attached CVs.

If users interact with these files and enable Microsoft Word macros, AdvisorsBot downloads, fingerprints, and sends this data to the C&C server. This results in a greater range of success from a phishing attack with emails that make an extra effort to look legit.

Another concern around AdvisorsBot is the continuous development that it shows. As noted by specialists in ethical hacking, malware is in active development and you can also find versions of malware rewritten in PowerShell. In May and June, for example, documents attached to malicious mail contained PowerShell scripts to download AdvisorsBot. On August 8, the macro was modified to include a PowerShell command that downloaded another PowerShell script before downloading the malware.

In addition, AdvisorsBot uses unwanted code and the Windows API hashing function to evade the security scan. This continuous evolution means that successfully countering a version of AdvisorsBot does not ensure that we are safe from the next version of the malware.

AdvisorsBot Attack Prevention

Specialists in ethical hacking from the International Institute of Cyber Security recommend to the security teams of the companies to block certain IPs associated with AdvisorsBot (in specific and, in addition to URLs like investments-advisors.idbinteractive-investments.idb, and

Experts also recommend adopting an e-mail security approach that includes spam monitoring and control, external mail scanning, perimeter protection, and awareness-raising for end users so that they can identify possible phishing threats that end up with a AdvisorsBot infection.