⚠️ Overview

AdvisorsBot is a modular information-stealing malware first documented by Proofpoint researchers in 2015, primarily operated by a Russian-speaking threat actor tracked as TA579 (also known as the AdvisorsBot crew). It is classified as a downloader and backdoor that delivers secondary payloads like Dridex and IcedID, targeting enterprises in finance, insurance, and legal sectors.

🔧 Technical Capabilities

AdvisorsBot uses spearphishing emails with malicious macros in Microsoft Office documents to achieve initial infection. Once executed, it establishes persistence via registry Run keys and scheduled tasks. The malware employs encrypted HTTPS communication with its command-and-control (C2) infrastructure, using a custom binary protocol; it can harvest credentials, browser cookies, and screen captures. Evasion techniques include sandbox detection, delaying execution, and checking for security tool processes. It can download and execute additional modules (e.g., for email harvesting or SOCKS5 proxying) and supports dynamic C2 domain generation through a DGA algorithm. MITRE ATT&CK techniques used include T1059.005 (Visual Basic), T1053.005 (Scheduled Task), and T1573.001 (Encrypted Channel).

📜 History & Notable Incidents

First observed in mid-2015, AdvisorsBot was linked to campaigns spreading Dyre and later Dridex via macro-laden emails. In 2017, Proofpoint reported a campaign targeting U.S. financial services with AdvisorsBot delivering Ursnif. A 2019 campaign used AdvisorsBot as a loader for Vidar and Nemty ransomware. No high-profile CVEs are directly associated; it relies on social engineering and user interaction. Law enforcement action has not been publicly reported against TA579.

🔍 Detection Indicators

Known SHA256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder; actual hashes vary per campaign). Network IOCs include patterns of HTTPS POST requests to domains with random-looking subdomains (e.g., *.advisorsbot[.]com). User-Agent strings often mimic legitimate browsers like “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)”. Registry persistence is commonly set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random value name. Behavioral signatures include creation of scheduled tasks named with 8 random alphanumeric characters (e.g., “{8 chars}”) and mutex names like “AdvisorsBot_Mutex_{8 hex}”.

☠️ Risk & Impact

AdvisorsBot enables data exfiltration of login credentials, financial account details, and email archives, leading to account takeover and wire fraud. Industries most affected include finance, insurance, and legal services in North America and Europe. Financial losses from secondary payloads (e.g., Dridex) have been estimated in the tens of millions of dollars, with individual wire transfer frauds exceeding $1 million.

🛡️ Mitigation

Defenders should enforce macro-blocking in Office via Group Policy, enable AMSI, and deploy email filtering to block malicious attachments with VBA scripts. Use endpoint detection rules for the specific mutex names and scheduled task patterns. Network detection should flag HTTPS traffic to DGA-generated domains. Recommended tools: YARA rules from Proofpoint’s public GitHub repository and Snort/Suricata signatures for the known User-Agent strings. Regularly apply security patches and restrict administrative privileges.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.