Thursday, May 1, 2025
HomeCyber Security NewsAdvisorsBot Malware Attack on Hotels, Restaurants, and Telecommunications Via Weaponized Word Document

AdvisorsBot Malware Attack on Hotels, Restaurants, and Telecommunications Via Weaponized Word Document

Published on

SIEM as a Service

Follow Us on Google News

Newly discovered AdvisorsBot Malware actively distributing by threat actor TA555 to target Hotels, Restaurants, and Telecommunications departments using a malicious word document.

This Malware spreading in the various form via email with a fake content and trick victims to open it infect the victims and steal the sensitive data.

Researchers observers that the AdvisorsBot Malware spreading in 3 different form, the first one has appeared via email to that target hotels, the second one is targeting restaurant, the third one mimics as a resume with the malicious macro document to attack telecommunications.

- Advertisement - Google News
Email for Hotels
Email for restaurant
 Email for Telecommunications

All the targeting email contain macros and the attack trick users to enable the macro that executes a PowerShell command to download and execute the AdvisorsBot Malware.

later threat actor shifted the technique that helps to download another PowerShell script when the PowerShell command gets executed which is responsible for net technique  AdvisorsBot to execute without writing it to disk.

AdvisorsBot Malware Infection Technique

An AdvisorsBot word derived from its command & control server which is used for receiving the command from malware authors that contain the word “advisors” in many areas.

Attackers using many junk code such as extra instructions, conditional statements, and loops to strengthen the anti-analysis techniques that makes difficult to analyze the malware.

AdvisorsBot malware contains a list of hard code hash value to compare with the running process hash of the system’s volume serial number, name and compare with it if its matches then it terminates the execution.

Attacker paying very close attention to victims to get connected with the C&C server and increase the success ratio, they are implementing an additional anti-analysis check that compared the system’s machine SID to a list of 13 hardcoded values.

According to Proofpoint research, The malware uses HTTPS to communicate with the C&C server. In the requests from the bot to the C&C, URIs contain encoded data that are used to identify a victim.

“More specifically, the data that is encoded in the URI contains the machine SID, CRC32 hash of the computer name, some unknown hardcoded values, and the Windows version.”

Finally, an attacker using fingerprinting module being sent from a C&C server and the command will perform stealing activities such as Takes a screenshot, Extracts Microsoft Outlook account details and other malicious activities.

Also Read:

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...