A South Asian financial institution recently fell victim to a sophisticated cyberattack involving two custom-built malware tools: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger disguised as a legitimate system file. This attack underscores the escalating threats faced by financial organizations in the region, highlighting the need for enhanced cybersecurity measures.
BRUSHWORM: The Modular Backdoor
BRUSHWORM, masquerading as `paint.exe`, serves as the primary implant in this attack. Its multifaceted capabilities include establishing persistence on infected systems, communicating with a remote command-and-control (C2) server, downloading additional malicious payloads, propagating through removable USB drives, and exfiltrating sensitive documents. The malware’s ability to spread via USB drives is particularly concerning, as it uses socially engineered filenames like `Salary Slips.exe`, `Documents.exe`, and `Dont Delete.exe` to entice users into executing the malicious files.
BRUSHLOGGER: The Concealed Keylogger
BRUSHLOGGER operates under the guise of `libcurl.dll`, a commonly trusted Windows library, employing a technique known as DLL side-loading. Its primary function is to silently record every keystroke made on the compromised machine, along with the active window titles for each session. This allows attackers to harvest login credentials, financial data, and internal communications without detection.
Discovery and Analysis
Elastic Security Labs researchers identified these malware components during an investigation into the targeted financial institution’s infrastructure. At the time of discovery, the victim’s environment had limited visibility, relying solely on Security Information and Event Management (SIEM) systems, which hindered comprehensive forensic analysis. Further investigation through VirusTotal revealed earlier development versions of the backdoor, uploaded under filenames such as `V1.exe`, `V2.exe`, and `V4.exe`. This indicates that the threat actor was actively refining their tools before deployment.
Technical Shortcomings and Development Insights
Despite the targeted nature of the attack, both BRUSHWORM and BRUSHLOGGER exhibited minimal code obfuscation and lacked advanced protective techniques. The overall code quality was notably poor. For instance, BRUSHWORM writes its decrypted configuration to disk in cleartext before creating an encrypted copy and then deleting the original—a sequence that reveals a lack of development discipline. Additionally, the use of free dynamic DNS infrastructure in testing versions and the absence of a kill switch suggest that the malware author is relatively inexperienced. It’s plausible that AI code-generation tools were employed during development without thorough review, leading to these shortcomings.
Infection Mechanism and Persistence
BRUSHWORM employs several tactics to ensure its persistence on infected systems. Upon execution, it creates hidden directories with hardcoded paths, such as `C:\ProgramData\Photoes\Pics\` for the main backdoor binary and `C:\Users\Public\Libraries\` for downloaded modules. The consistent misspelling of Photoes instead of Photos appears to be an authentic mistake by the author, possibly intended to blend with legitimate user directories.
To maintain persistence, BRUSHWORM registers a Windows scheduled task named `MSGraphics` through the COM Task Scheduler interface. This task is configured to run the backdoor each time the system starts, ensuring that the malware remains active even after reboots.
Implications for Financial Institutions
The deployment of BRUSHWORM and BRUSHLOGGER against a financial institution highlights the evolving tactics of cybercriminals targeting the financial sector. The use of custom-built malware tools, combined with techniques like DLL side-loading and USB propagation, demonstrates a strategic approach to infiltrate and persist within targeted environments.
Financial organizations must recognize the increasing sophistication of such threats and implement comprehensive cybersecurity strategies. This includes regular security audits, employee training on recognizing phishing attempts and malicious attachments, and deploying advanced threat detection systems capable of identifying and mitigating such attacks.
Recommendations for Mitigation
1. Enhanced Monitoring and Detection: Implement advanced endpoint detection and response (EDR) solutions to monitor for unusual activities, such as the creation of hidden directories or the registration of new scheduled tasks.
2. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches to mitigate vulnerabilities that could be exploited by malware.
3. User Education: Conduct regular training sessions for employees to recognize and report suspicious emails, attachments, and USB devices.
4. Access Controls: Limit user privileges to the minimum necessary for their roles to reduce the potential impact of malware infections.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure a swift and effective response to security breaches.
Conclusion
The BRUSHWORM and BRUSHLOGGER attack serves as a stark reminder of the persistent and evolving threats facing the financial sector. By understanding the tactics employed by cybercriminals and implementing robust security measures, financial institutions can better protect themselves against such sophisticated attacks.
