Skip to content

S0442 VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.1

Item Value
ID S0442
Associated Names
Version 1.0
Created 08 May 2020
Last Modified 12 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder VBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8} to maintain persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic VBShower has the ability to execute VBScript files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.1
enterprise T1105 Ingress Tool Transfer VBShower has the ability to download VBS files to the target computer.1

Groups That Use This Software

ID Name References
G0100 Inception 1