Malware - Hackers Target South Asian Financial Firm with BRUSHWORM
Basically, hackers used two types of malware to steal data from a bank in South Asia.
A South Asian financial firm was hit by a targeted cyberattack using BRUSHWORM and BRUSHLOGGER malware. This attack highlights the growing risk to financial institutions. Security teams are urged to implement strict measures to protect sensitive data and prevent further breaches.
What Happened
A South Asian financial institution was recently targeted by a sophisticated cyberattack involving two custom-built malware tools: BRUSHWORM and BRUSHLOGGER. The attack combined file theft, persistent system access, and real-time keystroke capture. This incident underscores the increasing risk that financial organizations across South Asia face from targeted intrusions.
The malware was delivered as separate binaries, with BRUSHWORM acting as the primary implant. Disguised as a benign file named paint.exe, it established a foothold in the system, communicated with a remote command-and-control (C2) server, and stole sensitive documents. Meanwhile, BRUSHLOGGER, masquerading as a trusted Windows library, logged every keystroke typed on the infected machine.
Who's Affected
The attack primarily affected a financial institution in South Asia, putting sensitive customer data and internal communications at risk. Employees of the firm were particularly vulnerable, as the malware propagated through social engineering tactics, using filenames like Salary Slips.exe to trick users into executing the malicious files.
As financial organizations are often targets for cybercriminals, this incident serves as a stark reminder of the vulnerabilities present in the sector. The potential for data breaches and financial fraud increases significantly when such malware infiltrates a financial system, affecting not just the institution but also its clients and stakeholders.
How It Works
BRUSHWORM operates by creating hidden directories and registering scheduled tasks to maintain persistence on the infected system. It fetches additional payloads from its C2 server and can replicate itself across connected USB drives, ensuring that the malware spreads even in air-gapped environments.
On the other hand, BRUSHLOGGER silently records keystrokes, capturing sensitive information such as login credentials and financial data. This dual approach of data theft and system persistence makes the malware particularly dangerous. The malware's design flaws, such as writing decrypted configurations to disk in cleartext, suggest that the authors may lack experience, potentially using AI tools without proper oversight.
How to Protect Yourself
To mitigate risks from such malware, organizations should implement strict security measures. This includes restricting the execution of unsigned binaries and monitoring for unusual scheduled task creation, especially tasks named MSGraphics or MSRecorder.
Deploying endpoint detection solutions that monitor USB activity can help prevent the spread of BRUSHWORM. Additionally, auditing DLL loading behavior across endpoints is crucial to catch side-loading attempts like those used by BRUSHLOGGER. Utilizing YARA rules can also aid in identifying these malware components across network environments, enhancing overall security posture.
Cyber Security News