Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

New Malware Adds RAT to a Persistent Loader

A newly discovered variant of a long-known malware loader adds the ability to control the victim from afar.

VBScript has long been an attack vector that could bring malicious software to an infected machine. But what if it could do more? What if VBScript could open a door to allow a PHP application access that would take control of a computer, making it part of a botnet? That's precisely the scenario in a newly described campaign called ARS VBS Loader, a variant of a popular downloader called SafeLoader VBS.

The new ARS VBS Loader, described by researchers at Flashpoint, downloads malware and provides remote-control access to a botnet controller, making it both a malware loader and a RAT, or remote access trojan. Paul Burbage, senior malware researcher at Flashpoint, says that he first noticed the new loader variant being sold on Russian malware sites in December 2017. It was, he says, being sold as a FUD ASPC (VBScript) loader — with "FUD" in this case meaning "fully undetectable."

Burbage says that there are two characteristics of ARS VBS that make it highly unusual. The first is persistence; the second is the remote access capability.

"The persistence mechanism for this loader is pretty unique," Burbage says. "It reports the statistics on its success back to the command and control server and is able to download additional malware from the server." As a result, he says that the threat actors can switch things up, changing attacks and profiles on the fly once the infection is in place.

One of the things that the persistent loader can do is receive additional commands. That's unusual for a loader because, Burbage says, "They tend not to have any command and control within the script." He say ARS VBS was authored with the intent for it to be the RAT, and that combines with the persistence mechanism to make it especially dangerous.

Asked whether the botnet to which ARS VBS seems to be recruiting systems is dangerous, Burbage says that it's far from the worst botnet he's seen. "I'm not sure how effective that would be in the wild because it utilizes a PHP POST Flood," he says, adding, "Most web sites easily defeat those."

So far, this new loader variant is being spread by relatively unsophisticated means. "Most of the initial infection records we see are massive shotgun spam campaigns that aren't carefully targeted," Burbage says, noting that they succeed because users are still clicking on attachments coming from unknown sensors and VBScript payloads are still getting past anti-malware security systems. "It's really hard to tell the difference between legitimate VBScript files that network admins might use for legitimate admin duties, and malware," Burbage says.

"VBScript is baked in, or supported out of the box, with every Windows system," he explains. "There might be a way to turn it off within an organization, but you'd lose the ability to perform authorized tasks."

Related content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mmckeown
50%
50%
mmckeown,
User Rank: Apprentice
4/21/2018 | 6:53:35 PM
Great Write Up
Excellent article.  Be interesting what the most effective way to counter the threat.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.