TA555 hacker group targeting the hospitality sector with AdvisorsBot malware downloader

• The malware downloader is under active development and comes with a system fingerprinting module.
• Security researchers uncovered another version of AdvisorsBot written in PowerShell, called PoshAdvisor.

A new malware downloader, which is still under development, has been spotted in new malicious email campaigns targeting the hospitality sector. The campaigns are being conducted by an APT group known as TA555.

According to security experts at Proofpoint, who discovered the new campaign, AdvisorsBot has been used as a first-stage payload so far. The campaigns distributing AdvisorsBot was first observed in May 2018.

Modus operandi

The TA555 hackers have been using different email lures, such as the “double charge” lure targeting hotels, a “food poisoning” lure targeting restaurants and a “resume” lure targeting telecommunications organizations.

Researchers also discovered another variant of the AdvisorsBot downloader, written entirely in PowerShell and .NET, called PoshAdvisor.

“Like most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is the use of junk code--such as extra instructions, conditional statements, and loops--to considerably slow down reverse engineering,” Proofpoint researchers wrote in a blog. “To detect various malware analysis tools, AdvisorsBot takes a CRC32 hash of the system’s volume serial number and each running process name and compares them to a list of hardcoded hash values. If it finds a match, the malware exits.”

Range of info-stealing capabilities

Proofpoint researchers observed that AdvisorsBot contained a system fingerprinting module which is capable of taking screenshots, exfiltrate Microsoft Office account details, stealing system information and more.

Meanwhile, PoshAdvisor, which is essentially AdvisorsBot rewritten in PowerShell, also contains a similar system fingerprinting module, URI generation and format, C&C infrastructure and module download and execute functionality.

“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint researchers said.

“AdvisorsBot, along with another similar but unrelated malware that we detailed last week, point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise,” the researchers added.