VBShower

VBShower seems to be a sophisticated malicious application that can stay on a system without being detected and record various pieces of sensitive information. According to researchers, the malware was created to attack government institutions or other organizations, for example, religious organizations, which is why it is unlikely regular home users could encounter it. It is reported that the campaign during which the malicious application is being spread is called Cloud Atlas. It seems it is mostly targeted at users in Russia, Kazakhstan, Belarus, India, the Czech Republic, Turkey, Portugal, and some other countries. Further, in the text, we discuss how VBShower might enter a system and what it does once it gets in. Needless to say, removing such a malicious application could be a challenging task, which is why researchers recommend leaving it to experienced IT specialists and reputable antimalware software.

It appears VBShower was first noticed in April 2019. Also, researchers believe that the malware replaced a previous threat called PowerShower that was used by the same hackers responsible for the Cloud Atlas attacks. Moreover, specialists say that the cybercriminals might wish to know more about devices they want to infect as they first install a different threat that gathers bits of information about a system. Afterward, VBShower might get downloaded and executed. The worst part is that this threat can erase all evidence of the infection from an infected device. It means, the malware may take care of traces of all malicious activities, which might make it difficult to detect it. Another thing that might make it nearly impossible to notice the malware on a system is the way it was programmed.

It seems that VBShower and the malicious application that gets installed before it (to gather information about a targeted system) are both polymorphic threats. Polymorphic malware constantly changes features that identify it, which may allow such software to avoid detection. Therefore, security tools that rely on capturing the so-called indicators of compromise (IoC) might be unable to trace it. IoCs are actions that indicate a cyber-attack. For example, it could be an unusual outbound network traffic, anomalies in privileged user account activity, geographical irregularities, HTML response sizes, a large number of requests for the same file, mismatched port-application traffic, and so on. It would seem, VBShower can hide such activities to avoid being detected by security tools.

Next, we ought to talk what might happen if VBShower settles in on a system. Research shows that the threat could create files called A-Za-z]{5}.vbs.dat, [A-Za-z]{5}.vbs, and [A-Za-z]{5}.mds or files named similarly in the %APPDATA% folder. One of the file (in our case [A-Za-z]{5}.vbs) could be tied to a Registry entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run directory, which the malicious application most likely creates to ensure it will be loaded automatically after each system restart. What’s more, it was noticed that once the malware settles in it should connect to its creators’ server and wait for their commands.

The threat could be capable of recording sensitive information, such as passwords, conversations, etc. Also, it is likely that VBShower could download more malware on a system and cause other troubles to the targeted organization. Therefore, it is needless to say that it is best to deal with this malicious application as fast as possible. As mentioned earlier, the threat is sophisticated, and its removal could be difficult, which is why it is best to leave this task to IT specialists and powerful antimalware software. If you have any questions about VBShower, feel free to leave us a message in the comments section available a bit below this article.