VBShower
VBShower is a backdoor Trojan that executes attacks according to VBS scripts from its administrators. This threat has close associations with espionage activities versus Russian residents and nearby regions, although its threat actor also may target other parts of the world. Users should monitor normal infection vectors like e-mail attachments for dangers and have anti-malware products available for removing VBShower safely.
Forecasting a Shower of Morphing Code
The Cloud Atlas (AKA Inception) hacking group is changing gears on its mode of attack versus compromised systems, along with broadening its selection of suitable targets. A well-known threat actor since 2014, Cloud Atlas is associated with sophisticated intelligence-harvesting operations using a PowerShell-based Trojan, PowerShell. This modular threat is being either replaced or supplemented, however, by a new one: VBShower.
VBShower has a similar payload structure to PowerShower, and processes directives from a Command & Control server for enabling more attacks against a compromised machine. However, it eschews any use of PowerShell, and its installation involves a polymorphic HTA file. The polymorphism, or 'morphing' of code between instances of the Trojan, is an arduous means of evading security tools by changing the indicators of compromise. Malware experts most often see it in high-level threats, such as the banking Trojan Win32.Bolik.2, or the Trojan.Ferret botnet.
VBShower also wipes AppData-located data, for covering any evidence of infection. Its further attacks are flexible and involve executing VBS commands that it retrieves from its C&C server hourly. Interestingly, malware experts sometimes see instances of VBShower installing PowerShower, instead of acting as a wholesale replacement to the earlier Trojan. This change could be Cloud Atlas's attempt at raising the selectivity with which they deploy their most analyzed tools.
The Best Umbrella for Trojan Showers
A VBShower infection carries with it the inherent implication of additional attacks consisting of anything that could be executable within the framework of a Visual Basic script. Dangers that malware analysts are heavily emphasizing include:
- VBShower may collect system information, such as the version of Windows, running memory processes, and account privileges, for giving attackers surveillance reports leading to the abuse of software vulnerabilities.
- VBShower may collect passwords, usernames and other credentials for hijacking accounts or compromising the rest of a local network.
- VBShower may upload files such as collected documents.
- Finally, VBShower may download and install other threats at Cloud Atlas's discretion.
Threat actors with Cloud Atlas's preferences of targeting government networks and sensitively-placed business entities, often, use e-mail for compromising a PC. These phishing lures may carry attached files with corrupted macros or use spoofed or obfuscated links. In most cases, deleting VBShower or its installer with professional and updated anti-malware tools before infection occurs should be possible.
Criminals with years of investments in their programming enterprises don't change their code or methods without good reasons. VBShower, as another shot fired in the cyber-security war, indicates that security companies – and the Trojan's possible victims – will need to step up their game.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.