Hotels, restaurants, and telecommunications businesses are being focused on in a new spam email campaign that sends a new variety of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being shared vis spam emails including Microsoft Word attachments with dangerous macros.
Clicking on an infected email attachment and allowing macros on the document will result in an Advisorsbot being downloaded. Advisorsbot’s main role is to carry out fingerprinting on an infected device. Information will be collated on the infected device is then sent to the threat actors’ command and control servers and further instructions are given to the malware based on the information obtained on the system. The malware records system data, details of programs downloaded on the device, Office account details, and other information. It is also able to capture screenshots on an infected device.
AdvisorsBot malware is so titled because the early samples of the malware that were first discovered in May 2018 contacted command and control servers that included the word advisors.
The spam email campaign is mainly being conducted on targets in the United States, although infections have been discovered around the world. Many thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be to blame for the attacks are a APT group known as TA555.
Many different email lures are being used in this malware campaign to get the recipients to click on the infected attachment and enable macros. The emails sent to hotels seem to be sent from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that look like resumes from job applicants.
AdvisorsBot was developed in C, but a second form of the malware has also been detected that was developed in .NET and PowerShell. The second variant has been given the title PoshAdvisor. PoshAdvisor is executed using a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without saving it to the disk.
These malware threats are still under development and are typical of the latest malware threats which seem to have a wide variety of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is ideally set up for mining cryptocurrency, the relevant code will be downloaded. If the company is of particular interest, it will be earmarked for a more thorough compromise.
The best form of security against this campaign is the use of an advanced spam filtering solution to stop the emails from being sent and security awareness training for employees to condition them how to respond when such a threat lands in their inbox.
