AdvisorBot downloader in malware campaign targeting hotels, restaurants, and telecommunications

News by Rene Millman

Security researchers have warned of a new downloader malware currently being used in campaigns against organisations in the restaurants, hotels and telecommunications industries.

Security researchers have warned of a new downloader malware currently being used in campaigns against organisations in the restaurants, hotels and telecommunications industries.

Dubbed Advisorbot, the maware has appeared in many small campaigns since May. These campaigns have been linked from two previous actors Proofpoint have researched.

In a blog post, researchers said the campaigns have used several themes in the email lures. The first is a "double charge" lure that appears to target hotels. The second is a "food poisoning" lure for restaurant targeting. The third is a "resume" lure that targets telecommunications organisations.

"While we did observe targeting leaning towards hotels, restaurants, and telecommunications industries, we found that these campaigns were not as well-targeted as the lures might imply, with many messages going to targets unrelated to the contents of the lure," said researchers.

When a victim clicked on the document, contained macros executed a PowerShell command to download and execute AdvisorsBot. But in a campaign in early August, tactics shifted, instead they used a macro to execute a PowerShell command that in turn downloaded another PowerShell script. This script executed embedded shellcode that ran AdvisorsBot without writing it to disk.

There was a further shift when malware authors made a major change with the macro instead downloading and executing a PowerShell version of AdvisorsBot that they called PoshAdvisor.

After the malware has downloaded and executed, it uses HTTPS to communicate with the C&C server. In the requests from the bot to the C&C, URIs contain encoded data that are used to identify a victim.

The malware also uses several anti-analysis techniques, such as using junk code, such as extra instructions, conditional statements, and loops, to considerably slow down reverse engineering.

"Most strings are stored as "stack strings" in which the characters of the string are manually pushed onto stack memory with individual instructions. This makes it more difficult to quickly see the strings the malware uses," said researchers.

There is also a Windows API function hashing, which hinders identification of the malware’s functionality.

AdvisorBot also takes a CRC32 hash of the system’s volume serial number and each running process name and compares them to a list of hardcoded hash values. If it finds a match, the malware exits.

Researchers also saw a system fingerprinting module being sent from a C&C server.This module takes a screenshot and base64 encodes it, extracts Microsoft Outlook account details, and runs an assortment of other various commands.

They said that while it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation.

"AdvisorsBot, along with another similar but unrelated malware that we detailed last week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise," the researchers said.

Paul Ducklin, senior technologist at Sophos, told SC Media UK that the malware relies on an old but effective trick.

"You open a document, and you see a cover page with a believable-looking image that says you need to click the [Enable Content] button that appears above in order to see what it contains. Sounds kind of reasonable at first sight - after all, it's the content you want to see," he said.

"But if you look carefully at that [Enable Content] button, it's part of a bright yellow popup bar at the top of the page, shown by Word itself, that starts with the text "Security Warning. "Heed that warning! The "content" you are about to enable isn't text, it's a bunch of so-called macros, a jargon term for "embedded software program that can do pretty much anything it likes."

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that bad agents are clearly going the extra mile to get a foothold into users’ systems. "Their motivations are not clear at this time as there is only a downloader and no malicious payload," he said.

"It is not exceptional to see loader propagating before actual payload – it allows attackers to test and fine-tune their infection and evasive features and prepare for something bigger which might be a sledgehammer to cause maximum impact in the shortest amount of time and potentially create chaos, or it might be a more stealthy approach where they handpick the victims."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews