Attacks/Breaches

New Malware Adds RAT to a Persistent Loader

A newly discovered variant of a long-known malware loader adds the ability to control the victim from afar.

VBScript has long been an attack vector that could bring malicious software to an infected machine. But what if it could do more? What if VBScript could open a door to allow a PHP application access that would take control of a computer, making it part of a botnet? That's precisely the scenario in a newly described campaign called ARS VBS Loader, a variant of a popular downloader called SafeLoader VBS.

The new ARS VBS Loader, described by researchers at Flashpoint, downloads malware and provides remote-control access to a botnet controller, making it both a malware loader and a RAT, or remote access trojan. Paul Burbage, senior malware researcher at Flashpoint, says that he first noticed the new loader variant being sold on Russian malware sites in December 2017. It was, he says, being sold as a FUD ASPC (VBScript) loader — with "FUD" in this case meaning "fully undetectable."

Burbage says that there are two characteristics of ARS VBS that make it highly unusual. The first is persistence; the second is the remote access capability.

"The persistence mechanism for this loader is pretty unique," Burbage says. "It reports the statistics on its success back to the command and control server and is able to download additional malware from the server." As a result, he says that the threat actors can switch things up, changing attacks and profiles on the fly once the infection is in place.

One of the things that the persistent loader can do is receive additional commands. That's unusual for a loader because, Burbage says, "They tend not to have any command and control within the script." He say ARS VBS was authored with the intent for it to be the RAT, and that combines with the persistence mechanism to make it especially dangerous.

Asked whether the botnet to which ARS VBS seems to be recruiting systems is dangerous, Burbage says that it's far from the worst botnet he's seen. "I'm not sure how effective that would be in the wild because it utilizes a PHP POST Flood," he says, adding, "Most web sites easily defeat those."

So far, this new loader variant is being spread by relatively unsophisticated means. "Most of the initial infection records we see are massive shotgun spam campaigns that aren't carefully targeted," Burbage says, noting that they succeed because users are still clicking on attachments coming from unknown sensors and VBScript payloads are still getting past anti-malware security systems. "It's really hard to tell the difference between legitimate VBScript files that network admins might use for legitimate admin duties, and malware," Burbage says.

"VBScript is baked in, or supported out of the box, with every Windows system," he explains. "There might be a way to turn it off within an organization, but you'd lose the ability to perform authorized tasks."

Related content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mmckeown
50%
50%
mmckeown,
User Rank: Apprentice
4/21/2018 | 6:53:35 PM
Great Write Up
Excellent article.  Be interesting what the most effective way to counter the threat.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...