VBShower PowerShell Backdoor
VBShower is a new PowerShell-based polymorphic backdoor, created by the Inception advanced persistent threat group to replace their older PowerShower malware.
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities.
VBShower uses an embedded HTA file distributed via targeted spam or spear-phishing campaigns. When opened, this file will execute an unnamed launcher, which in turn executes VBShower. The HTA file also contains a context file which is used by VBShower to connect to a command control server.
Once installed, VBShower will download VBS files containing the intended payloads from the C2 server, which are then installed on the affected system. In some campaigns VBShower will also install PowerShower, which is then used to extract user credentials and files.
Further details can be found here
Emails used by the attackers
VBShower registry persistence
- Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}
- Value : wscript //B “%APPDATA%\[A-Za-z]{5}.vbs”
VBShower paths
- %APPDATA%\[A-Za-z]{5}.vbs.dat
- %APPDATA%\[A-Za-z]{5}.vbs
- %APPDATA%\[A-Za-z]{5}.mds
VBShower C2s
- 176.31.59.232
- 144.217.174.57
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.