ARS VBS Loader: ‘cause size doesn’t matter (right?)

Thursday 4 October 09:00 - 09:30, Green room

Jose Miguel Esparza (Blueliv)

JavaScript and Visual Basic Script have already been used in the past as attack vectors in order to distribute additional malware, but they are also used in more targeted campaigns as a way to stay under the radar and gain persistence in  infected systems. Even if they are not as common as binary botnets, there are active botnets which are operated solely using malware written in these languages, like ARS VBS Loader. There are still cybercriminals who don’t let themselves be carried along by trends like cryptomining and ransomware and choose to use other tools, like tiny obfuscated VBS scripts which are more than enough to be able to control infected machines, execute commands and install additional malware and plug-ins. ARS VBS Loader is being developed for those cybercriminals and has evolved from the first versions until now, adding functionalities to execute PowerShell commands and send a screenshot to the C&C when the malware is executed for the first time, for instance. This talk will explain all these details, including information about its evolution, the malware families it is distributing, its stealer plug-ins, and how an active campaign is being spread targeting Canadian users.



Jose Miguel Esparza

Jose Miguel Esparza is Head of Threat Intelligence at Blueliv, focused on researching and providing threat intelligence around botnets, malware and threat actors. He is a security researcher who has been working analysing Internet threats since 2007, starting at S21sec e-crime, later leading the Threat InTELL team at Fox-IT until the end of 2017 and, more recently, joining Blueliv to enrich and broaden their intelligence proposition. He is the author of the security tool peepdf and he also writes on about security and Internet threats if time permits. He has taken part as speaker/trainer in several local and international conferences like RootedCon, Cybersecurity Summer BootCamp, Source, Black Hat, Troopers and Botconf, among others. You can easily find him on Twitter talking about security.


Back to VB2018 Programme page

Other VB2018 papers

Starving malware authors through dynamic classification

Karishma Sanghvi (Microsoft)
Joe Blackbird (Microsoft)

DOKKAEBI: Documents of Korean and Evil Binary

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

Unpacking the packed unpacker: reversing an Android anti-analysis library

Maddie Stone (Google)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.