VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]

ID: S0442
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 May 2020
Last Modified: 12 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

VBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{{8}} to maintain persistence.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

VBShower has the ability to execute VBScript files.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.[1]

Enterprise T1105 Ingress Tool Transfer

VBShower has the ability to download VBS files to the target computer.[1]

Groups That Use This Software

ID Name References
G0100 Inception

[1]

References