VTA-004564 – Malware Targets Financial Institutions With Brushworm And Brushlogger

A targeted cyberattack against a South Asian financial institution leveraged two custom malware tools to establish persistence, steal sensitive data, and capture user activity. Researchers said the operation relied on a modular backdoor, BRUSHWORM, and a keylogger, BRUSHLOGGER, delivered as separate binaries to improve flexibility and stealth.

BRUSHWORM, disguised as a legitimate executable, served as the primary foothold. It established persistence by creating scheduled tasks that executed at user logon, enabling continuous access to the infected system. The malware communicated with a remote command-and-control server to download additional payloads and exfiltrate sensitive documents. It also propagated via USB drives using deceptive filenames tailored to corporate environments, increasing the likelihood of user execution and lateral spread.

BRUSHLOGGER operated through DLL side-loading by masquerading as a trusted system library. Once loaded, it silently recorded keystrokes and active window titles, allowing attackers to capture credentials, financial data, and internal communications in real time.

The attack highlighted weaknesses in visibility, as the victim environment relied primarily on SIEM logs, limiting post-compromise investigation. Researchers noted that despite its impact, the malware lacked advanced obfuscation and demonstrated poor coding practices, suggesting a relatively inexperienced threat actor. Earlier development samples indicated iterative improvements before deployment.

Overall, the campaign combined persistence mechanisms, credential harvesting, and removable media propagation, demonstrating how even low-complexity malware can achieve significant impact when paired with social engineering and limited endpoint visibility.

Severity:
Medium

Attack Surface:
Endpoint, File Storage

Tactics:
Command and Control, Credential Access, Defense Evasion, Discovery, Execution, Exfiltration, Initial Access, Lateral Movement, Persistence

Techniques:
T1190 – Spearphishing via Service
T1204 – User Execution
T1055 – Scheduled Task
T1053.005 – Scheduled Task/Job: Scheduled Task
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1091 – Replication Through Removable Media
T1056.001 – Input Capture: Keylogging
T1036.005 – Masquerading: Match Legitimate Name or Location
T1560 – Archive Collected Data
T1105 – Ingress Tool Transfer
T1041 – Exfiltration Over C2 Channel

Indicator of Compromise:
https://otx.alienvault.com/pulse/69c9d40f1dbb7b27de080b2e

References:
1. https://www.elastic.co/security-labs/brushworm-targets-financial-services

SuperPRO’s Threat Countermeasures Procedures:
1. Implement strict application whitelisting to prevent the execution of unsigned or unauthorized binaries.
2. Configure endpoint monitoring to alert on the creation of unusual scheduled tasks particularly those involving system utilities like rundll32.exe.
3. Disable or strictly control the use of removable USB media to block physical malware propagation and data exfiltration.
4. Deploy Endpoint Detection and Response tools capable of identifying DLL side-loading and suspicious library loading behaviors.
5. Conduct regular audits of hidden system directories and ProgramData folders for unauthorized executable files.
6. Enhance logging and telemetry beyond the SIEM level to provide better visibility into post-exploitation activities

Contributed by: Fatini