Decoding a new sample of AdvisorBot malware that is delivered via malicious macros

• The malware arrives in a legitimate-looking fake attachment named as ‘invoice.doc’.
• The malware is capable of gathering various information about a victim’s machine that includes system information, computer IP address, network status and more.

A new sample of the AdvisorBot malware, that was first spotted in August 2018, is back through a phishing email campaign. The attackers rely on simple social engineering tricks to lure users into opening the email.

Modus Operandi

According to the researchers from Cybaze-Yoroi ZLAb, the malware arrives in a fake attachment (which looks legitimate) named as ‘invoice.doc’. The document contains malicious macros which when clicked results in the propagation of the malware.

“Once opened, the document kindly asks the users to enable the macro scripts, heavily obfuscated to avoid static detection. The macro code downloads a text string through a WebClient object invoked from the PowerShell console, then it saves it with .png file extension and runs it through the 'iex' primitive,” said the researchers in their analysis report.

Malware capabilities

The malware once installed, is capable of gathering various information about a victim’s machine that includes system information, computer IP address, network status, list of running processes, available privileges, domain admins and antivirus products.

Apart from this, the malware also searchers for all email accounts registered on a victim’s machine.

Yoroi ZLab researchers further noted that weaponized Microsoft Office document delivered via email is one of the top infection vectors in today malware landscape. Therefore, it is advised to disable macros by default and check the origin of the email in depth to prevent attacks from the AdvisorBot variant.