AdvisorsBot Downloader

Security researchers have discovered a new C-based downloader trojan known as AdvisorsBot targeting governmental, telecommunications and leisure organisations.

AdvisorsBot is being distributed through large-scale spam campaigns using several different lure documents. These documents contain malicious macros that execute a PowerShell script to download and install AdvisorsBot.

Once installed, AdvisorsBot has much of the same functionality as the Marap downloader, including collecting user and system information before connecting to a command and control server.

An alternate version of AdvisorsBot, known as PoshAdvisor, also exists. Rewritten in PowerShell and .NET, it has the same functionality as AdvisorsBot.

Like most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is the use of junk code–such as extra instructions, conditional statements, and loops–to considerably slow down reverse engineering.

Read a full report on this here

Indicators Of Compromise

IP Addresses

• 162.244.32[.]148
• 185.180.198[.]56

URLs

• 162.244.32.185/jquery[.]js
• 204.155.31.167/bootstrap[.]css
• chklink.us/upd[.]bin
• finance-advisors-ca.bid/ldr[.]bin
• interactive-investments[.]bid
• investments-advisors[.]bid
• real-estate-advisors[.]win
• secur-real-estate[.]bid

SHA256 File Hashes

• 1eb1ef64a9b41267e362597e071e181acb86b50e708ede4a9448689da7fb2425
• 2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
• 335229e528c6348a3dc5941c434dc67acb031f297d9ac25e53a2a56d3df3e255
• 34a2fc4eb718a8b13a44cfb851ccac6cf63e54fe7e7ab145a5bdeb6def2d4620
• 6d73bea291bf6114af8333031187ac05fdfc8afe05025b272f510a6977b2153e
• 956eae6395ed5e1b2d49ffa08ff85b42d1fc210531ab9c48c2d76e6ee38c9781
• 9dd12d3a32d2ba133bac8747f872f649b389a9cf3f4baaa9fad69a43d2e4f982
• c659b00a65a574a08fff64662581a8ecae7eafa38850a6c7c19b88c2085a1c03
• ee32c4e0a4b345029d8b0f5c6534fa9fc41e795cc937d3f3fd743dcb0a1cea35
• fdf5072b904ba9148d8b98e4ba01987e644449e2b10f033ca4d2f967dc502a58