VBShower PowerShell Backdoor

VBShower is a new PowerShell-based polymorphic backdoor, created by the Inception advanced persistent threat group to replace their older PowerShower malware.

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities.

VBShower uses an embedded HTA file distributed via targeted spam or spear-phishing campaigns. When opened, this file will execute an unnamed launcher, which in turn executes VBShower. The HTA file also contains a context file which is used by VBShower to connect to a command control server.

Once installed, VBShower will download VBS files containing the intended payloads from the C2 server, which are then installed on the affected system. In some campaigns VBShower will also install PowerShower, which is then used to extract user credentials and files.

Further details can be found here

Emails used by the attackers

VBShower registry persistence

  • Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}
  • Value : wscript //B “%APPDATA%\[A-Za-z]{5}.vbs”

VBShower paths

  • %APPDATA%\[A-Za-z]{5}.vbs.dat
  • %APPDATA%\[A-Za-z]{5}.vbs
  • %APPDATA%\[A-Za-z]{5}.mds

VBShower C2s


Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: