New Malware Adds RAT to a Persistent Loader

A newly discovered variant of a long-known malware loader adds the ability to control the victim from afar.

VBScript has long been an attack vector that could bring malicious software to an infected machine. But what if it could do more? What if VBScript could open a door to allow a PHP application access that would take control of a computer, making it part of a botnet? Thats precisely the scenario in a newly described campaign called ARS VBS Loader, a variant of a popular downloader called SafeLoader VBS.
The new ARS VBS Loader, described by researchers at Flashpoint, downloads malware and provides remote-control access to a botnet controller, making it both a malware loader and a RAT, or remote access trojan. Paul Burbage, senior malware researcher at Flashpoint, says that he first noticed the new loader variant being sold on Russian malware sites in December 2017. It was, he says, being sold as a FUD ASPC (VBScript) loader — with FUD in this case meaning fully undetectable.
Burbage says that there are two characteristics of ARS VBS that make it highly unusual. The first is persistence; the second is the remote access capability.
The persistence mechanism for this loader is pretty unique, Burbage says. It reports the statistics on its success back to the command and control server and is able to download additional malware from the server. As a result, he says that the threat actors can switch things up, changing attacks and profiles on the fly once the infection is in place.
One of the things that the persistent loader can do is receive additional commands. Thats unusual for a loader because, Burbage says, They tend not to have any command and control within the script. He say ARS VBS was authored with the intent for it to be the RAT, and that combines with the persistence mechanism to make it especially dangerous.
Asked whether the botnet to which ARS VBS seems to be recruiting systems is dangerous, Burbage says that its far from the worst botnet hes seen. Im not sure how effective that would be in the wild because it utilizes a PHP POST Flood, he says, adding, Most web sites easily defeat those.
So far, this new loader variant is being spread by relatively unsophisticated means. Most of the initial infection records we see are massive shotgun spam campaigns that arent carefully targeted, Burbage says, noting that they succeed because users are still clicking on attachments coming from unknown sensors and VBScript payloads are still getting past anti-malware security systems. Its really hard to tell the difference between legitimate VBScript files that network admins might use for legitimate admin duties, and malware, Burbage says.
VBScript is baked in, or supported out of the box, with every Windows system, he explains. There might be a way to turn it off within an organization, but youd lose the ability to perform authorized tasks.
Related content:
Phish Global, Loot Local: 3 New Geo-Specific Threats
Advanced, Low-Cost Ransomware Tools on the Rise
Malware Explained: Packer, Crypter & Protector
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda
here
. Register with Promo Code DR200 and save $200.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Malware Adds RAT to a Persistent Loader