Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

RAT Gone Rogue: Meet ARS VBS Loader

by The Gurus
April 17, 2018
in This Week's Gurus
malware
Share on FacebookShare on Twitter

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

 

Researchers at Flashpoint have seen and analysed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

 

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behaviour likens ARS VBS Loader to a remote access Trojan (RAT), giving it behaviour and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

 

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

 

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

 

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

 

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

 

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.

 

The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

 

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

 

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

 

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

Data visibility: the antidote to Snake-bites

Next Post

Mining for Trouble: Cryptocurrency and Cyber Security

Recent News

safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023
london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information