Last week Proofpoint researchers presented a malware discovery dubbed Marap, which attacked banks and other finance-related companies via millions of bogus email messages (similar to Locky ransomware). The registered features, of Marap (reversed “param“) virus, were very similar to Trojan activity because after the infection it would download further modules and payloads, but what was interesting, is that Marap had a fingerprinting module which allowed to explore and recognize the infected machine and later bring on the most suitable payloads depending on the situation.
However, Marap is not the only one with such characteristics as this week same Proofpoint scientists found another fingerprinting-module-using virus called AdvisorsBot. AdvisorsBot, as mentioned in the article, is a very flexible and adaptive threat that can adjust to the victim’s system and get the best out of the infected PC by downloading various payloads and different modules after the infection. This, on the other hand, is only achievable with the help of the so-called fingerprinting module which allows taking screenshots of the user’s screen, encode it with base64, gather MS Outlook account data, identify the victim by machine’s SID and CRC32 names and etc. This adaptive AdvisorsBot malware can potentially get as vicious as the multi-vector attack in Alaska, we wrote about before.
On top of that, AdvisorsBot virus uses HTTPS (the safely encrypted connection) to report back to the C2 (Command and Control) servers with encoded information about the user in order to give developers details about the victim. Furthermore, AdvisorsBot malware creators decided to make it harder for cyber scientists to figure out the functions (because of the Windows APIs) of the threat added additional nonsense syntax, loops, conditional statements to make it harder to read the original code.
Interesting enough, the AdvirsorsBot virus came out back in May 2018, and the newest variants are very different than the original threat, because of the rapid development which hackers have been working on past couple months. After the thorough analysis of the payload newest variant was rewritten in PowerShell and .NET, giving it a new name the “PoshAdvisor”. Additionally, PoshAdvisor demonstrated an added anti-analysis feature, that was added to blacklist virus researchers’ computers, which were recognized by matching machine’s SID code with the gathered data from profiling sandbox or etc.
Apart from having such versatile characteristics AdvisorsBot and its variants have demonstrated a very smart, socially-engineered infection Spreading via emails. Instead of going after only simple users, that most malware does, AdvisorsBot virus targets hotels, restaurants, and telecommunication-sector companies. This was determined by the 3 different emails that were sent out and resulted in AdvisorsBot infection. The bogus messages contained various malicious attachments like Zip archived files, PDF files, MS Word Files (containing dangerous macros), MS Exel sheet containing “.iqy” files which after launching would install the malware.
Hotels would get an email from crooks saying that they were overcharged and they’d like the administration to cancel the payment from the card, whose information is in the attached file, which needs to be opened. Restaurants, however, would receive a message saying that the recent customers got poisoned therefore they are filing the lawsuit and are sending the hospital report proving that they were officially sick, which needs to be reviewed by the restaurant’s managers. And lastly, the telecom companies would simply receive an applicant’s resume CV/resume.doc to fill a position. Although Malspam/phishing is nothing new in the malware world, yet people are still falling for it.
At the moment the majority of victims are from the US, but AdvisorsBot was spread globally to thousands of targeted companies. As for the future, Proofpoit’s Staff in their Report’s conclusion wrote:
AdvisorsBot, along with another similar but unrelated malware that we detailed last week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise.
Such new discoveries like AdvisorBot or DeepLocker really leave you amused and scared, thinking how fast the malware is improving and how it is becoming harder with each day to stay safe and protect personal data. Constant data breaches, hacked companies, stolen cryptocurrencies and new viruses proof another point, that now the real crimes are not happening on the streets, but they have moved on to the virtual world, with unlimited borders and possibilities.