A financial institution in South Asia has been targeted in a sophisticated cyberattack employing custom malware known as BRUSHWORM and BRUSHLOGGER. The operation highlights the escalating threat landscape for financial organizations across the region, as attackers leverage novel techniques for persistent system access and data exfiltration. The dual-malware approach underscores significant security concerns for the financial sector.
The attack, identified by Elastic Security Labs, involved BRUSHWORM, a versatile backdoor, and BRUSHLOGGER, a keystroke logger. Both were deployed as distinct executables. BRUSHWORM, disguised as a system file, was responsible for establishing persistence, maintaining communication with command-and-control (C2) servers, downloading additional malicious payloads, and spreading through removable media. Concurrently, BRUSHLOGGER, masquerading as a legitimate Windows library, was designed to capture all user keystrokes and log active window titles, providing attackers with real-time access to sensitive information.
Researchers discovered the malware during an analysis of the targeted financial firm’s infrastructure. The organization’s existing security measures, primarily at the SIEM (Security Information and Event Management) level, offered limited visibility into post-exploitation activities, complicating a comprehensive forensic investigation. Further analysis, including pivoting on VirusTotal, revealed what appear to be earlier development iterations of BRUSHWORM, indicated by filenames like V1.exe and V2.exe, suggesting a progression of the malware’s capabilities prior to its deployment in the wild.
Despite the targeted nature of the intrusion, neither BRUSHWORM nor BRUSHLOGGER incorporated advanced obfuscation or packing techniques. The overall code quality was assessed as relatively low, with notable developmental weaknesses identified. For example, BRUSHWORM reportedly writes its decrypted configuration data to disk in cleartext before encrypting and deleting the original, a process that demonstrates a lack of rigorous development discipline. Additionally, the use of free dynamic DNS services for C2 infrastructure in earlier versions and the absence of a kill switch led researchers to conclude with moderate confidence that the malware author may be inexperienced and potentially utilized AI code generation tools without thorough validation of the output.
BRUSHWORM’s Infection Mechanism and Persistence
A key aspect of this attack is the method by which BRUSHWORM establishes a foothold and maintains its presence on compromised systems. Upon execution, the malware creates several hidden directories for its components and downloaded modules. A notable characteristic is the consistent misspelling of “Photoes” in directory paths, a potential oversight by the developer that may have inadvertently aided in its camouflage as a legitimate user media folder.
To ensure continued operation after system reboots, BRUSHWORM leverages Windows scheduled tasks. It registers a task named `MSGraphics` via the COM Task Scheduler interface, configured to launch the backdoor upon user login. Subsequently, it retrieves a DLL payload from its C2 server at the domain `resources.dawnnewsisl[.]com`. This payload, downloaded as `Recorder.dll`, is then executed using a second scheduled task, `MSRecorder`, through the `rundll32.exe` utility.
In scenarios where systems are air-gapped or lack direct internet connectivity, BRUSHWORM employs a physical exfiltration strategy. It copies all harvested files onto any connected USB drive, providing a method to bridge network segmentation and exfiltrate sensitive data.
Security teams are advised to implement stringent controls on the execution of unsigned binaries and to monitor for the creation of unusual scheduled tasks, particularly those named `MSGraphics` or `MSRecorder`. The deployment of endpoint detection solutions equipped with USB activity monitoring capabilities can help prevent BRUSHWORM’s propagation through removable media. Furthermore, auditing DLL loading behavior across endpoints is crucial for detecting side-loading attempts like those employed by BRUSHLOGGER. YARA rules have been made available to aid in the identification of both BRUSHWORM and BRUSHLOGGER within endpoint and network environments.
The continued threat from custom malware targeting financial institutions necessitates a multi-layered security approach. Organizations should focus on enhanced threat intelligence, robust endpoint detection and response (EDR) capabilities, and continuous monitoring of network traffic and system activities. The insights gained from this BRUSHWORM and BRUSHLOGGER campaign underscore the importance of understanding attacker methodologies and proactively strengthening defenses against such targeted intrusions.