ARS VBS Loader: ‘cause size doesn't matter (right?)

Presented at VB2018, Oct. 4, 2018, 9 a.m. (30 minutes).

JavaScript and Visual Basic Script have already been used in the past as attack vectors in order to distribute additional malware, but they are also used in more targeted campaigns as a way to stay under the radar and gain persistence in infected systems. Even if they are not as common as binary botnets, there are active botnets which are operated solely using malware written in these languages, like ARS VBS Loader. There are still cybercriminals who don't let themselves be carried along by trends like cryptomining and ransomware and choose to use other tools, like tiny obfuscated VBS scripts which are more than enough to be able to control infected machines, execute commands and install additional malware and plug-ins. ARS VBS Loader is being developed for those cybercriminals and has evolved from the first versions until now, adding functionalities to execute PowerShell commands and send a screenshot to the C&C when the malware is executed for the first time, for instance. This talk will explain all these details, including information about its evolution, the malware families it is distributing, its stealer plug-ins, and how an active campaign is being spread targeting Canadian users.

Presenters:

  • Jose Miguel Esparza - Blueliv
    Jose Miguel Esparza Jose Miguel Esparza is Head of Threat Intelligence at Blueliv, focused on researching and providing threat intelligence around botnets, malware and threat actors. He is a security researcher who has been working analysing Internet threats since 2007, starting at S21sec e-crime, later leading the Threat InTELL team at Fox-IT until the end of 2017 and, more recently, joining Blueliv to enrich and broaden their intelligence proposition. He is the author of the security tool peepdf and he also writes on eternal-todo.com about security and Internet threats if time permits. He has taken part as speaker/trainer in several local and international conferences like RootedCon, Cybersecurity Summer BootCamp, Source, Black Hat, Troopers and Botconf, among others. You can easily find him on Twitter talking about security. @EternalTodo

Links:

Similar Presentations: