VBShower is a backdoor that is a new tool used by Cloud Atlas to attack and spy on government organizations in multiple countries. Cloud Atlas is a threat group that has been around for five years now, and they always come back with new tools to steal more information.
Due to the fact that VBShower and Cloud Atlas mainly target official institutions, VBShower is not something that individual desktop users should worry about (unless you are a government employee and you open your emails at home). Nevertheless, the persistence of this infection is enough to force us to revaluate our cybersecurity habits.
According to security reports, the main country affected by VBShower and Cloud Atlas is Russia. However, government and economic entities in Portugal, Romania, Turkey, Kyrgyzstan, and several other countries have also been targeted by the threat group.
Over the years, Cloud Atlas has been using all sorts of malware applications to infiltrate target organizations and steal their data. VBShower, reportedly, has been first spotted in April 2019. Unlike the previously used malware that was called PowerShower, when VBShower enters the target system and gets executed, the backdoor deletes the infection evidence and then connects to its command and control (C2) server to receive commands on what it should do.
It means that unless someone performs a thorough system scan and uses professional methods, it can be hard to notice that the system has been infected. As a result, VBShower might remain active on the system for a long period of time, collecting sensitive data, logging it, and sending it over to its C2 center. Thus, this backdoor is used as a cyber espionage tool, stealing important information from government entities and other big organizations.
What can be done to prevent VBShower from entering the target system? Well, we have to take a look at its distribution method. We do know for sure that this infection uses phishing campaigns to reach their victims. At the same time, it also means that employees at the targeted entities inadvertently allow this malware to enter their systems because they are not aware of the potential threats when they open the phishing email. For the most part, these emails might look like your regular messages and notifications you receive every single day from your partners and other organizations. For instance, here’s an example of the email addresses used in the phishing attacks:
At first glance, it can often seem that these emails belong to government entities, and thus the messages that come with these addresses in the “sender” line might be reliable. However, whenever you encounter an email with an attached document or an outgoing link, you should think twice before downloading the document or clicking the link. Always ask yourself whether you’ve really been expecting that message. Scan the file with a security tool if need be. Maybe there’s no harm intended, but it’s always better to be safe than sorry.
Security experts are not sure who exactly is behind VBShower and Cloud Atlas. It is also very likely that in the long run, VBShower will be replaced by a new backdoor. In the meantime, it would be a good idea to review your organization’s cybersecurity measures. It’s not just about the security tool that you use or your IT department. It’s also about the way your employees deal with unfamiliar content. Make sure that you have everyone educated about the potential threats that might reach you through a simple email. No one wants their secrets stolen by the likes of VBShower, so please take the matter of your cybersecurity seriously.