Hotels, restaurants, and telecommunications businesses are being targeted with a new hacking email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware installer which, like many malware variants, is being distributed using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary aim is to complete fingerprinting on an infected device. Data will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are given to the malware based on the data gathered on the system. The malware records system data, details of programs installed on the device, Office account details, and other details. It is also able to capture screenshots on an infected device.

AdvisorsBot malware is so titled because the early examples of the malware that were first seen on May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is mainly being conducted on targets in the U.S., although infections have been detected worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.

Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and turn on macros. The emails sent to hotels seem to be from people who have been charged twice for their stay. The campaign on restaurants uses emails which say that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.

AdvisorsBot is coded in C, but a second form of the malware has also been seen that is written in .NET and PowerShell. The second variant has been called PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.