Flashpoint researchers warn of new VBS Loader
April 16, 2018 / Warwick Ashford
Researchers have issued warnings about a new VBScript downloader that behaves like a remote access Trojan, is designed to run undetected and can update and delete itself. Although malicious VBScript has long been a fixture of spam and phishing campaigns, its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer – but that has changed, according to security researchers. Researchers at Flashpoint have seen and analysed a unique departure from this norm in a downloader dubbed “ARS VBS Loader”, which they describe as a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked on Russian crimeware forums in 2015.