Hotels, restaurants, and telecommunications businesses are the focus of a new spam email campaign that broadcasts a new form of malware titled AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being sent using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will allow the Advisorsbot to be downloaded. The software’s main role is to carry out fingerprinting on an infected device. Information will be gathered on the infected device is then sent to the threat actors’ command and control servers and further instructions are supplied to the malware based on the data gathered on the system. The malware records system information, details of programs downloaded to the device, Office account details, and other data. It can also capture screenshots on an infected device.

It has been given the title ‘AdvisorsBot’ due to the early samples of the malware that were first discovered in May 2018 which contacted command and control servers that included the word advisors.

The spam email campaign is mainly being aimed at targets in the United States, although infections have been seen globally. Several thousands of devices have been affected with the malware since May, according to the security researchers at Proofpoint who identified the new malware threat. The threat actors thought to be behind the attacks are a APT group called TA555.

Various email traps are being used in this malware campaign to encourage the recipients to open the infected attachment and turn on macros. The emails shared with hotels appear to be from individuals who have been doubly charged for their stay. The campaign targeting restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the campaign targeting attacks on telecommunications companies use email attachments that seem to be resumes from job applicants.

AdvisorsBot is programmed using C, but a second form of the malware has also been detected that is programmed in .NET and PowerShell. The second variant has been labelled PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that enables the malware in the memory without writing it to the disk.

These malware threats are still under development and are common to many recent malware threats which have a wide range of capabilities and the versatility to be used for various types of attack such as data stealing, ransomware delivery and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is perfectly suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.

The action to take in order to guard against this campaign is the deploy an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat is received to their inbox.