VERY IMPORTANT

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer. Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums. ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.