A newly observed remote access trojan, ARS VBSLoader, has been seen targeting European industrial and financial organisations.
ARS VBSLoader is delivered via malicious email attachments distributed by spam and phishing campaigns. It is written entirely in VBScript, making it difficult for anti-virus products to detect.
Researchers at Flashpoint have seen and analysed a unique departure from this norm in a downloader dubbed “ARS VBS Loader”, which they describe as a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked on Russian crimeware forums in 2015.
Once installed ARS VBSLoader creates several entries in the registry, scheduled tasks list and startup folder to maintain persistence. It will then collect information of the system and user before sending this to a command and control server.
ARS VBSLoader has numerous capabilities including:
- Uploading, downloading and executing files.
- Stealing credentials.
Participating in application-layer denial-of-service attacks.
Domain’s and IP’s associated to ARS VBSLoader