BRUSHWORM and BRUSHLOGGER Malware Targets South Asian Financial Firm
Key Takeaways A South Asian financial institution fell victim to a sophisticated cyberattack involving two custom malware strains: BRUSHWORM and BRUSHLOGGER. BRUSHWORM, a modular backdoor,...
Key Takeaways
- A South Asian financial institution fell victim to a sophisticated cyberattack involving two custom malware strains: BRUSHWORM and BRUSHLOGGER.
- BRUSHWORM, a modular backdoor, facilitated document theft, C2 communication, and USB-based propagation, while BRUSHLOGGER acted as a keylogger.
- The attack combined data exfiltration, persistent access, and real-time credential harvesting, posing a significant threat to financial sector entities in the region.
- Researchers from Elastic Security Labs identified developmental flaws in the malware, suggesting the threat actor may be relatively inexperienced and possibly used AI code generation tools.
- Organizations are advised to implement strict execution policies for unsigned binaries, monitor scheduled tasks, and deploy endpoint detection with USB activity monitoring.
A financial institution in South Asia has recently been targeted in a cyberattack employing two distinct, purpose-built malware tools: BRUSHWORM, a versatile backdoor, and BRUSHLOGGER, a keylogger designed to mimic legitimate system files. This incident underscores the escalating cyber risks confronting financial organizations throughout the South Asian region, with attackers increasingly deploying tailored intrusions.
Table Of Content
The operation meticulously orchestrated file exfiltration, established enduring system access, and captured keystrokes in real-time. This multi-pronged approach highlights the advanced capabilities and strategic intent behind modern cyber campaigns targeting critical financial infrastructure. Further details on the malware’s capabilities and the attack’s scope were published in a report.
The two malware components were deployed as distinct binaries, indicating a carefully planned attack sequence. BRUSHWORM, posing as paint.exe, functioned as the primary implant. Its responsibilities included establishing persistence, communicating with a remote command-and-control (C2) server, downloading additional malicious payloads, propagating via removable USB drives, and extracting sensitive documents from compromised systems.
BRUSHLOGGER, on the other hand, cunningly disguised itself as libcurl.dll, a common Windows library, leveraging a technique known as DLL side-loading. Its singular objective was to covertly record every keystroke entered on the infected machine, alongside logging the title of the active window for each session. This allowed for the surreptitious collection of sensitive information without user detection.
Discovery and Analysis
The sophisticated malware campaign came to light through the diligent efforts of Elastic Security Labs researchers during an investigation into the targeted financial institution’s network infrastructure. At the time of the incident, the victim environment’s visibility was limited to SIEM-level telemetry, which significantly hampered a comprehensive forensic reconstruction of post-exploitation activities.
Further analysis, including pivoting through VirusTotal, revealed what appeared to be earlier development iterations of the BRUSHWORM backdoor. These versions were uploaded under generic filenames such as V1.exe, V2.exe, and V4.exe. This discovery suggests that the threat actor was actively refining their toolset before launching the final deployment. Despite the targeted nature of the attack, the binaries surprisingly lacked significant code obfuscation, packing, or advanced protective measures. The overall quality of the code was notably poor.
For instance, BRUSHWORM exhibited a critical development flaw: it would write its decrypted configuration to disk in cleartext before creating an encrypted copy and subsequently deleting the original. This error-prone sequence betrays a lack of robust development practices. Coupled with the use of free dynamic DNS infrastructure in testing versions and the absence of a kill switch, researchers concluded with moderate confidence that the malware author possesses limited experience and might have utilized AI code-generation tools without thorough review of the output.
Impact and Propagation
The repercussions of this attack extended far beyond mere data theft. BRUSHWORM was engineered to self-replicate across connected USB drives, employing socially engineered filenames such as Salary Slips.exe, Documents.exe, and Dont Delete.exe. These names were specifically chosen to entice employees within a corporate financial environment into executing them, facilitating the malware’s spread.
Concurrently, BRUSHLOGGER silently captured every keystroke, harvesting critical information like login credentials, financial transaction inputs, and internal communications throughout the infection period, posing a severe risk of data breaches and financial fraud.
BRUSHWORM’s Infection Mechanism and Persistence
A key aspect of this attack is BRUSHWORM’s methodical approach to embedding itself within a system and ensuring its continued presence. Upon initial execution, the malware establishes several hidden directories using hardcoded paths. For example, the primary backdoor binary is stored in C:ProgramDataPhotoesPics, while downloaded modules reside in C:UsersPublicLibraries. Notably, the consistent misspelling of “Photoes” is believed to be an genuine oversight by the developer, possibly intended to make the directory blend in with legitimate user media folders.
To achieve persistence across system reboots, BRUSHWORM leverages the COM Task Scheduler interface to register a Windows scheduled task named MSGraphics. This task is configured to execute the backdoor every time a user logs in. Following this, it retrieves a DLL payload from its C2 server, located at resources.dawnnewsisl[.]com/updtdll, via a WinHTTP GET request. This payload is then saved as Recorder.dll and launched through a secondary scheduled task, MSRecorder, using rundll32.exe.
In scenarios where an infected environment lacks internet connectivity, BRUSHWORM is designed to switch to a physical exfiltration method. It automatically copies all stolen files directly to any connected USB drive, enabling it to bridge air-gapped networks and exfiltrate data offline.
What You Should Do
- Restrict Unsigned Binaries: Implement strict policies to prevent the execution of unsigned binaries across all endpoints.
- Monitor Scheduled Tasks: Proactively monitor and audit the creation of new scheduled tasks, especially those named
MSGraphicsorMSRecorder, for any suspicious activity. - Deploy EDR with USB Monitoring: Utilize Endpoint Detection and Response (EDR) solutions equipped with robust USB activity monitoring capabilities to detect and block BRUSHWORM’s propagation attempts via removable media.
- Audit DLL Loading Behavior: Regularly audit and analyze DLL loading behaviors on endpoints to identify and mitigate DLL side-loading attempts, such as those employed by BRUSHLOGGER.
- Implement YARA Rules: Deploy the provided YARA rules to identify and detect BRUSHWORM and BRUSHLOGGER across your network and endpoint environments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.