{
	"id": "dac56902-4fb9-40e9-8f6d-5d0c190c8205",
	"created_at": "2026-04-06T00:13:00.315024Z",
	"updated_at": "2026-04-10T13:12:43.964861Z",
	"deleted_at": null,
	"sha1_hash": "bc2cf8462652a3116f17795f9b639fdb77d72692",
	"title": "New modular downloaders fingerprint systems - Part 2: AdvisorsBot | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1412719,
	"plain_text": "New modular downloaders fingerprint systems - Part 2:\r\nAdvisorsBot | Proofpoint US\r\nBy August 23, 2018 Proofpoint Staff\r\nPublished: 2018-08-23 · Archived: 2026-04-05 16:05:49 UTC\r\nOverview\r\nBeginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed\r\nAdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels,\r\nrestaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have\r\nobserved AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is\r\npresumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot\r\nis under active development and we have also observed another version of the malware completely rewritten in\r\nPowerShell and .NET.\r\nCampaign Analysis\r\nWe first observed campaigns delivering AdvisorsBot in May 2018. Since then, the campaigns have used several\r\nthemes in the email lures. The first is a “double charge” lure that appears to target hotels (Figure 1). The second is\r\na “food poisoning” lure for restaurant targeting (Figure 2). The third is a “catering order” lure also targeting\r\nrestaurants (Figure 3). The fourth is a “resume” lure that targets telecommunications organizations (Figure 4).\r\nWhile we did observe targeting leaning towards hotels, restaurants, and telecommunications industries, we found\r\nthat these campaigns were not as well-targeted as the lures might imply, with many messages going to targets\r\nunrelated to the contents of the lure.\r\nIn the May and June campaigns, the documents contained macros that executed a PowerShell command to\r\ndownload and execute AdvisorsBot. In the August 8 campaign, the actor shifted techniques, using a macro to\r\nexecute a PowerShell command that in turn downloaded another PowerShell script. This script executed\r\nembedded shellcode that ran AdvisorsBot without writing it to disk. Finally, on August 15, the actor made another\r\nmajor change and the macro instead downloaded and executed a PowerShell version of AdvisorsBot that we\r\ncalled PoshAdvisor.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 1 of 13\n\nFigure 1: Message purporting to include information about a double charge delivering AdvisorsBot\r\nFigure 2: Message purporting to include information about a food poisoning incident and delivering PoshAdvisor\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 2 of 13\n\nFigure 3: Message purporting to include information about a catering order and delivering AdvisorsBot\r\nFigure 4: Message purporting to include a resume/CV delivering AdvisorsBot\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 3 of 13\n\nFigure 5: Example macro document lure \r\nMalware Analysis\r\nThe name “AdvisorsBot” is based on early command and control (C\u0026C) domains that all contained the word\r\n“advisors”. The malware is written in C, but the threat actor has recently created an interesting fork of the code\r\nthat we discuss in the “PoshAdvisor” section.\r\nAnti-Analysis Features\r\nLike most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is\r\nthe use of junk code--such as extra instructions, conditional statements, and loops--to considerably slow down\r\nreverse engineering. For example, comparing the beginning of a function (part of the URI generation discussed in\r\nthe “Command and Control” section) from the x86 version of the malware (Figure 6) to the same function in the\r\nx64 version (Figure 7) which doesn’t seem to be as affected by the inclusion of the junk code as much.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 4 of 13\n\nFigure 6: The x86 version of the malware contains significantly more instances of junk code\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 5 of 13\n\nFigure 7: The x64 version contains far fewer instances of junk code\r\nWe can also see two more anti-analysis features in the same screenshots:\r\n1. Most strings are stored as “stack strings” in which the characters of the string are manually pushed onto\r\nstack memory with individual instructions. This makes it more difficult to quickly see the strings the\r\nmalware uses.\r\n2. Windows API function hashing, which hinders identification of the malware’s functionality. A Python\r\nimplementation of the hashing algorithm is available on Github [1].\r\nTo detect various malware analysis tools, AdvisorsBot takes a CRC32 hash of the system’s volume serial number\r\nand each running process name and compares them to a list of hardcoded hash values. If it finds a match, the\r\nmalware exits. To detect whether it is running on a virtual machine, the malware inspects the system’s firmware\r\ntable (via a call to GetSystemFirmwareTable) for strings associated with virtual machine vendors. Again, if it finds\r\na match, the malware exits.\r\nIn the August 8 campaign, it became clear that the threat actor was paying close attention to the characteristics of\r\nvictims connecting back to their C\u0026C servers. The updated version of AdvisorsBot in this campaign included an\r\nadditional anti-analysis check that compared the system’s machine SID to a list of 13 hardcoded values (Figure 8).\r\nWe assume that they have profiled sandbox or malware researcher systems in prior campaigns and blacklisted\r\nthem.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 6 of 13\n\nFigure 8: Snippet of code showing AdvisorsBot comparing the victim machine’s SID to a blacklist\r\nCommand and Control\r\nThe malware uses HTTPS to communicate with the C\u0026C server. In the requests from the bot to the C\u0026C, URIs\r\ncontain encoded data that are used to identify a victim, for example:\r\n       /aa/rek5h/lnl5/s4zakljmo/4f/xbdju4a02tnxywx/etl2dni405a1khwxyg0r2.jpg\r\nMore specifically, the data that is encoded in the URI contains the machine SID, CRC32 hash of the computer\r\nname, some unknown hardcoded values, and the Windows version:\r\nFigure 9: Snippet of code showing the data structure used during formatting of the URI\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 7 of 13\n\nThis data is encoded via the following steps:\r\nRandom 4-byte XOR key is generated\r\nData structure is XOR-encoded with the key and the key is prepended to the encrypted data\r\nThe key and encrypted data are converted from binary to lowercase letters and digits with a binary\r\nencoding similar to base32\r\nRandom slashes are added to make it look like a URI path\r\nA “.jpg” extension is added for GET requests and an “.asp” extension is added for POST requests\r\nCommands from the C\u0026C server are polled via GET requests. A response that contains a command is structured\r\nas shown below:\r\nOffset 0: Command\r\nOffset 4: Unknown, possibly module ID or command ID\r\nOffset 8: Length of encrypted data\r\nOffset 12: CRC32 hash of plaintext data\r\nOffset 16: XTEA IV\r\nOffset 24: XTEA key\r\nOffset 40: XTEA encrypted data using CBC mode\r\nAdvisorsBot currently can receive and act on only two commands:\r\nLoad a module (command ID 1)\r\nLoad shellcode in a thread (any other command ID)\r\nModules are DLLs that are manually loaded (allocate a buffer, copy the PE header and sections, relocate, resolve\r\nthe import table, and execute the entry point). A “communications” function is passed from the downloader to the\r\nmodule so that it can send back data to the C\u0026C server. These requests have the same style of URIs, but use POST\r\ndata structured as shown below:\r\nOffset 0: Length of encrypted data\r\nOffset 4: CRC32 hash of plaintext data\r\nOffset 8: XTEA IV\r\nOffset 16: XTEA key\r\nOffset 32: XTEA encrypted data using CBC mode\r\nModules\r\nAt the time of publication we have only observed a system fingerprinting module being sent from a C\u0026C server. It\r\nperforms the following activities and sends their output back to the C\u0026C:\r\nTakes a screenshot and base64 encodes it\r\nExtracts Microsoft Outlook account details\r\nRuns the following system commands:\r\nsysteminfo\r\nipconfig /all\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 8 of 13\n\nnetstat -f\r\nnet view\r\ntasklist\r\nwhoami\r\nnet group \"domain admins\" /domain\r\ndir %USERPROFILE%\\Desktop\r\nwmic /namespace:\\\\root\\securitycenter2 path antivirusproduct GET\r\ndisplayName,pathToSignedProductExe\r\nPoshAdvisor\r\nOn August 15, we saw what initially looked like a second AdvisorsBot campaign for the month. However, after\r\ncloser analysis of the payload we were surprised to find that the threat actor had essentially rewritten AdvisorsBot\r\nusing PowerShell and a .NET DLL embedded inside the PowerShell script. We track this variant as\r\n“PoshAdvisor” and, while it is not an exact duplicate of AdvisorsBot, it does contain the same:\r\nURI generation and format (Figure 10)\r\nC\u0026C response format and encryption\r\nModule download and execute functionality\r\nSystem fingerprinting functionality (Figure 11)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 9 of 13\n\nFigure 10: Snippet of code showing similarity of PoshAdvisor’s URI generation\r\nFigure 11: Snippet of code showing similarity of PoshAdvisor’s system fingerprinting\r\nThis is noteworthy since it is fairly rare to see  malware be rewritten in a completely different programming\r\nlanguage.\r\nConclusion\r\nWhile it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both\r\nin future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated\r\ndistribution techniques, warrant further investigation. AdvisorsBot, along with another similar but unrelated\r\nmalware that we detailed last week, point to a growing trend of small, versatile malware that give actors flexibility\r\nto launch future attacks and identify systems of interest that may lend themselves to more significant compromise.\r\nReferences\r\n[1] https://github.com/EmergingThreats/threatresearch/blob/master/advisorsbot/func_hashes.py\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n6d73bea291bf6114af8333031187ac05fdfc8afe05025b272f510a6977b2153e SHA256\r\nExample\r\nDocument\r\nAttachment\r\n(May)\r\nhxxp://chklink[.]us/upd.bin URL\r\nAdvisorsBot\r\ndownload URL\r\n(May)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 10 of 13\n\n9dd12d3a32d2ba133bac8747f872f649b389a9cf3f4baaa9fad69a43d2e4f982 SHA256\r\nAdvisorsBot\r\n(May)\r\ninvestments-advisors[.]bid Domain\r\nAdvisorsBot\r\nC\u0026C (May)\r\ninteractive-investments[.]bid Domain\r\nAdvisorsBot\r\nC\u0026C (May)\r\n1eb1ef64a9b41267e362597e071e181acb86b50e708ede4a9448689da7fb2425 SHA256\r\nExample\r\nDocument\r\nAttachment\r\n(June)\r\nhxxp://finance-advisors-ca[.]bid/ldr.bin URL\r\nAdvisorsBot\r\ndownload URL\r\n(June)\r\nee32c4e0a4b345029d8b0f5c6534fa9fc41e795cc937d3f3fd743dcb0a1cea35 SHA256\r\nAdvisorsBot\r\n(June)\r\nreal-estate-advisors[.]win Domain\r\nAdvisorsBot\r\nC\u0026C (June)\r\nsecur-real-estate[.]bid Domain\r\nAdvisorsBot\r\nC\u0026C (June)\r\n34a2fc4eb718a8b13a44cfb851ccac6cf63e54fe7e7ab145a5bdeb6def2d4620 SHA256\r\nAdvisorsBot\r\nsystem\r\nfingerprinting\r\nmodule (June\r\nand August)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 11 of 13\n\n956eae6395ed5e1b2d49ffa08ff85b42d1fc210531ab9c48c2d76e6ee38c9781 SHA256\r\nExample\r\nDocument\r\nAttachment\r\n(August)\r\nhxxp://204.155.31[.]167/bootstrap.css URL\r\nAdvisorsBot\r\ndownload URL\r\n(August)\r\nc659b00a65a574a08fff64662581a8ecae7eafa38850a6c7c19b88c2085a1c03 SHA256\r\nAdvisorsBot\r\n(August)\r\n185.180.198[.]56 IP\r\nAdvisorsBot\r\nC\u0026C (August)\r\nfdf5072b904ba9148d8b98e4ba01987e644449e2b10f033ca4d2f967dc502a58 SHA256\r\nExample\r\nDocument\r\nAttachment\r\n(August)\r\nhxxp://162.244.32[.]185/jquery.js URL\r\nPoshAdvisor\r\ndownload URL\r\n(August)\r\n2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132 SHA256\r\nPoshAdvisor\r\nPowerShell\r\nscript (August)\r\n335229e528c6348a3dc5941c434dc67acb031f297d9ac25e53a2a56d3df3e255 SHA256\r\nPoshAdvisor\r\n.NET library\r\n(August)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 12 of 13\n\n162.244.32[.]148 IP\r\nPoshAdvisor\r\nC\u0026C (August)\r\nET and ETPRO Suricata/Snort Signatures\r\n2832183 | ETPRO TROJAN PoshAdvisor SSL/TLS Certificate Observed\r\n2830733 || ETPRO TROJAN Observed AdvisorsBot CnC Domain Domain (investments-advisors .bid in TLS\r\nSNI)\r\n2830732 || ETPRO TROJAN Observed Malicious SSL Cert (AdvisorsBot CnC Domain)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot"
	],
	"report_names": [
		"new-modular-downloaders-fingerprint-systems-part-2-advisorsbot"
	],
	"threat_actors": [
		{
			"id": "e9fcfe14-b91b-4f1d-a6f6-2de8a6dbca17",
			"created_at": "2022-10-25T16:07:24.287989Z",
			"updated_at": "2026-04-10T02:00:04.923791Z",
			"deleted_at": null,
			"main_name": "TA555",
			"aliases": [],
			"source_name": "ETDA:TA555",
			"tools": [
				"AdvisorsBot",
				"PoshAdvisor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "47524f3c-731b-4af2-a9df-67c96c734392",
			"created_at": "2023-01-06T13:46:39.319424Z",
			"updated_at": "2026-04-10T02:00:03.286323Z",
			"deleted_at": null,
			"main_name": "TA555",
			"aliases": [],
			"source_name": "MISPGALAXY:TA555",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc2cf8462652a3116f17795f9b639fdb77d72692.pdf",
		"text": "https://archive.orkl.eu/bc2cf8462652a3116f17795f9b639fdb77d72692.txt",
		"img": "https://archive.orkl.eu/bc2cf8462652a3116f17795f9b639fdb77d72692.jpg"
	}
}