VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.^[1]

ID: S0442

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 08 May 2020

Last Modified: 12 May 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	VBShower used `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{{8}}` to maintain persistence.^[1]
Enterprise	T1059	.005	Command and Scripting Interpreter: Visual Basic	VBShower has the ability to execute VBScript files.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	VBShower has attempted to complicate forensic analysis by deleting all the files contained in `%APPDATA%..\Local\Temporary Internet Files\Content.Word` and `%APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\`.^[1]
Enterprise	T1105		Ingress Tool Transfer	VBShower has the ability to download VBS files to the target computer.^[1]

Groups That Use This Software

ID	Name	References
G0100	Inception	^[1]

References

GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

VBShower

Enterprise Layer

Techniques Used

Groups That Use This Software

References