AdvisorsBot

AdvisorsBot is a Trojan downloader that uses to run configurable modules for attacking infected PCs. Besides its threat actor's emphasizing data collection for industry-specific targets, AdvisorsBot also is unique for the thorough anti-detection and analysis features it includes, along with the existence of a variant, PoshAdvisor. Always keep anti-malware products available and updated for detecting and removing AdvisorsBot when appropriate.

A Trojan Advisor in Two Languages

A moderately unusual Trojan downloader is being noted in a series of attacks against multiple industries since May 2018 and continuing to June and August. AdvisorsBot's intended attack functions that it wields against PC users are unremarkable, but more of its 'beneath the hood' characteristics set it apart from similar Trojans like the spyware-focused QuantLoader, the South Korea-themed Swort, or the recent AZORult and Marap. Although there are several versions of AdvisorsBot, including a major branch that's written in a separate programming language, malware experts find no changes in how its threat actor uses it: to gather system data and, then, use that information for determining what attack modules the program should run.

Depending on the version in question, AdvisorsBot may run in memory without installing anything to the disk, or the script may drop it in the file system like a standard program. The oldest builds of AdvisorsBot are written in C, while a fork, dubbed 'PoshAdvisor' by AV company Proofpoint, includes most of the same functionality, but redone in Powershell scripts. All infection vectors that malware experts can tie to the AdvisorsBot campaign employ spam e-mails as their preferred infection methods.

AdvisorsBot includes no more than two attack-oriented commands: one for loading a module, and one for loading shellcode into a thread. At least one of its modules include some limited spyware features associated with compromising Outlook accounts, as well as additional system data-harvesting support for customizing what attack modules AdvisorsBot loads later. However, malware analysts are finding AdvisorsBot's anti-detection features more significant due to their thoroughness and sophistication. Examples of just some of these defenses include:

• AdvisorsBot may auto-terminate itself in a virtual environment (which is a typical trait of threat analysis systems).
• AdvisorsBot includes numerous instances of dummy code, or functions that obscures the Trojan's purpose without hindering the execution.
• AdvisorsBot disguises its C&C network traffic by several means, including using XOR encryption and adding misleading extensions to its data requests.

Advising a Safe Getaway from the Latest Trojan Assaults

The AdvisorsBot campaign is, not surprisingly, using spam e-mails with contents specific to many of the industries that it attacks, including food poisoning for restaurants, billing issues for hotel chains, and resumes for telecommunications companies. However, not all victims may match the thematically appropriate profile. Malware experts only are finding cases of AdvisorsBot installing itself with the help of additional, attached documents using corrupted macros, although there are some discrepancies between scenarios with which other exploits might be in use for finalizing the infection.

Modern versions of Microsoft's Office program will disable macros, by default, for your safety. Users should remain hesitant about enabling macros for downloads that aren't from trusted sources, and any files that haven't undergone appropriate scanning by threat analysis tools. Updating your anti-malware products also is essential for maximizing their chances of detecting threatening software with this degree of code obfuscation and deleting AdvisorsBot before it downloads any other threats.

For the victim, the impact AdvisorsBot causes is not much more or less than that of any other Trojan downloader. However, AdvisorsBot also is a noteworthy high mark in how far criminals with some programming talent are willing to go for achieving their aims, even if it requires rewriting an entire program.