TA555

Description

(Proofpoint) Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.

Names

Name	Name-Giver
TA555	Proofpoint

Country

• Unknown

Motivation

• Financial crime

First Seen

2018

Observed Sectors

• Hospitality
• Telecommunications

Tools

• AdvisorsBot
• PoshAdvisor

Information

• https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot

Other Information

Uuid

bf6a3eb5-da87-482a-87da-d50a301953ee

Last Card Change

2020-04-14