The BRUSHWORM and BRUSHLOGGER malware suite was uncovered targeting a financial institution in South Asia. BRUSHWORM acts as a modular backdoor implant featuring multiple advanced capabilities such as anti-analysis checks to evade detection, encrypted configuration files to protect its settings, and persistence via scheduled tasks. It can download additional payloads, propagate through USB devices acting as a worm, and exfiltrate a wide range of files, enabling extensive data theft. BRUSHLOGGER complements this by implementing a keylogger that leverages DLL side-loading, a technique where a malicious DLL is loaded by a legitimate application, to capture keystrokes system-wide along with the context of the active window, increasing the value of stolen credentials and data. The malware’s code quality and flaws suggest it was developed by an inexperienced author, possibly using AI code-generation tools, as evidenced by multiple iterative versions found on VirusTotal. The combination of these two components creates a comprehensive data collection and exfiltration platform capable of bridging air-gapped networks through USB propagation, persistent keystroke logging, and modular payload delivery. Despite its medium severity rating and lack of known active exploits in the wild, the malware’s capabilities pose a serious threat to targeted organizations, especially in the financial sector. The malware employs several MITRE ATT&CK techniques including T1053.005 (Scheduled Task), T1056.001 (Keylogging), T1074.001 (File Deletion), T1036.005 (DLL Side-Loading), and T1105 (Ingress Tool Transfer), among others, indicating a multi-faceted approach to persistence, stealth, and data theft.

Organizations targeted by BRUSHWORM and BRUSHLOGGER face significant risks to the confidentiality and integrity of sensitive data, particularly financial information. The malware’s ability to steal extensive files and capture keystrokes system-wide can lead to credential theft, unauthorized access, and financial fraud. USB worm propagation and air-gap bridging capabilities increase the risk of lateral movement and infection of isolated networks, which are typically considered highly secure. The persistence mechanisms and anti-analysis features complicate detection and removal, potentially allowing long-term espionage and data exfiltration. For financial institutions, this could result in severe financial losses, reputational damage, regulatory penalties, and erosion of customer trust. The malware’s low sophistication suggests that similar threats could proliferate easily, increasing the overall threat landscape for organizations with similar profiles worldwide.

1. Implement strict controls on USB device usage, including disabling autorun features and restricting USB ports to authorized devices only. 2. Deploy endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and unusual scheduled task creations. 3. Monitor network traffic for signs of modular payload downloads and suspicious connections to known malicious URLs such as 'http://resources.dawnnewsisl.com/updtdll'. 4. Use behavioral analytics to detect keylogging activities and anomalous file access patterns indicative of extensive data theft. 5. Conduct regular threat hunting exercises focusing on the identified malware hashes and YARA rules provided. 6. Harden systems by applying the principle of least privilege to limit malware’s ability to persist and propagate. 7. Educate employees on the risks of using untrusted USB devices and phishing attempts that may deliver initial infection vectors. 8. Maintain up-to-date backups isolated from the network to recover from potential data loss or ransomware attacks that could follow such infections. 9. Employ application whitelisting to prevent unauthorized DLLs from loading and restrict execution of unknown binaries. 10. Collaborate with threat intelligence providers to stay informed about emerging variants and indicators of compromise related to BRUSHWORM and BRUSHLOGGER.