South Asian Financial Institution Targeted by New Malware Toolset
A recent cyber-attack has significantly impacted a financial institution located in South Asia, where malicious actors deployed a sophisticated malware toolkit that combines a modular backdoor, referred to as BRUSHWORM, and a DLL side-loaded keylogger known as BRUSHLOGGER. This incident marks a troubling development in the realm of cyber threats targeting financial services, shedding light on the evolving tactics employed by cybercriminals.
Technical Overview of the Malware Components
The attackers utilized a backdoor initially dubbed paint.exe, alongside a keylogger disguised as libcurl.dll. Notably, both components exhibit a lack of advanced packing or obfuscation techniques, which suggests a certain level of foundational simplicity in their design. BRUSHWORM serves as the central implant, facilitating various malicious activities such as installation, persistence, command-and-control (C2) operations, modular payload loading, and even USB worm behavior. Additionally, it is capable of executing extensive bulk file theft operations encompassing a variety of business-critical formats.
On the other hand, BRUSHLOGGER compliments the malicious toolkit by meticulously recording keystrokes across the compromised systems, preserving contextual information on user activities. This capability grants cybercriminals detailed insights into user interactions, potentially exposing sensitive data and operational protocols.
Investigation Insights
Insights from Elastic Security Labs revealed the intrusion during an investigation where the victim’s environment only provided SIEM-level telemetry data. This limitation restricted visibility into the post-exploitation activities unfolding within the affected systems. Further examination also uncovered multiple earlier builds of the malware on VirusTotal, with filenames such as V1.exe, V2.exe, and V4.exe. Some of these variants were configured to utilize free dynamic DNS services, indicating that the developers might have been experimenting with and refining their toolkit over time.
The presence of coding mistakes and an outdated encrypted configuration schema heavily suggests that an inexperienced developer may have been behind the creation of these malicious tools. Such findings not only raise concerns about the technical proficiency of the attackers but also highlight potential oversights that could be exploited during the malware’s lifecycle.
Detailed Behavior of the BRUSHWORM Backdoor
Upon execution, BRUSHWORM initiates a series of basic anti-analysis checks designed to detect environments that may be used for analysis, such as sandboxes. For instance, it evaluates the screen resolution, terminating execution if it detects that the resolution is below 1024×768 pixels—a common measure to avoid being analyzed in virtualized settings.
Should it detect a hypervisor, the malware briefly pauses before continuing its operation. It further verifies human activity by monitoring mouse movements over a five-minute time window, allowing it to distinguish between automated environments and genuine user interaction.
During its operation, BRUSHWORM creates a series of hardcoded hidden directories, including C:\ProgramData\Photoes\Pics\ for its primary binary, C:\Users\Public\Libraries\ for downloaded modules, and C:\Users\Public\Systeminfo\ for staging exfiltrated data. Notably, the persistent misspelling of “Photoes” across various components suggests a possible oversight or a slip in the malware’s development.
Data Exfiltration and USB Propagation
The toolset stands out for its strategic functionality tailored for financial environments. When internet access is available, BRUSHWORM takes advantage of removable drives, infecting them with lure filenames such as Salary Slips.exe and Presentation.exe. It systematically gathers files across various extensions relevant to documents, spreadsheets, presentations, email archives, and source code, while stashing them in the Systeminfo directory. To prevent duplicate exfiltration, it meticulously tracks SHA-256 hashes in a dedicated subdirectory.
BRUSHLOGGER Keylogger Functionality
In parallel, BRUSHLOGGER, a 32-bit DLL crafted for side-loading under the guise of libcurl.dll, implements further malicious functionality. It begins by establishing a mutex identifier that resembles a Windows Update reference, ensuring only a single instance of the logger runs at any given time. By maintaining a comprehensive log of all keystrokes—including active window handles and titles—BRUSHLOGGER enriches the context around user actions, enhancing the potential for data extraction.
Captured keystrokes are logged as two-digit hexadecimal virtual key codes. Following this, the byte-buffered data is XOR-encrypted with a static key before being appended to a log file, offering only superficial obfuscation.
Conclusion
Despite its relatively rudimentary implementation and apparent coding flaws, the combined functionality of BRUSHWORM and BRUSHLOGGER presents a formidable threat landscape for financial institutions. The toolset leverages a combination of scheduled-task persistence, modular loading of DLLs, aggressive data theft from documents and source code, USB-based propagation mechanisms, and stealthy keystroke capture capabilities. This recent incident serves as a stark reminder of the urgency for enhanced cybersecurity measures within the financial sector and highlights the growing sophistication of cyber threats targeting critical infrastructure. Cybersecurity teams must remain vigilant and proactive in their defense strategies to mitigate such evolving dangers.