Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Software
  3. VBShower

VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]

ID: S0442
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 May 2020
Last Modified: 12 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

VBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8} to maintain persistence.[1]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

VBShower has the ability to execute VBScript files.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.[1]
Enterprise T1105 Ingress Tool Transfer

VBShower has the ability to download VBS files to the target computer.[1]

Groups That Use This Software

ID Name References
G0100 Inception

[1]

References

  1. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.