CP
cyberpings
Malware & RansomwareHIGH

Malware Alert - Elastic Security Labs Uncovers BRUSHWORM

ELElastic Security Labs
BRUSHWORMBRUSHLOGGERmalwareSouth Asian financial institutionkeylogger
🎯

Basically, two types of malware were found that steal data and spread through USB drives.

Quick Summary

Elastic Security Labs has discovered two new malware types, BRUSHWORM and BRUSHLOGGER, targeting a South Asian financial institution. These threats use USB drives to spread and steal sensitive data. Organizations must act swiftly to mitigate risks and protect their data.

What Happened

Recently, Elastic Security Labs uncovered two custom malware components targeting a South Asian financial institution. These components, named BRUSHWORM and BRUSHLOGGER, pose significant threats to data security. BRUSHWORM acts as a modular backdoor, while BRUSHLOGGER functions as a keylogger. The malware was discovered during an investigation where the victim's infrastructure had only minimal visibility, making it challenging to track malicious activities.

BRUSHWORM is designed to establish persistence, communicate with command-and-control (C2) servers, and exfiltrate sensitive files. It spreads through removable media, making it particularly dangerous in environments where USB drives are commonly used. Meanwhile, BRUSHLOGGER captures keystrokes, providing attackers with access to sensitive information such as passwords and confidential communications.

Who's Being Targeted

The primary target of this malware is a South Asian financial institution. This sector is often a lucrative target due to the sensitive financial data it handles. The malware's ability to spread via USB drives increases the risk, especially in corporate environments where employees frequently use portable storage devices.

The malware's design indicates that it was likely developed by an inexperienced author, as evidenced by coding mistakes and the use of free dynamic DNS infrastructure for testing versions. This suggests a potential lack of thorough security practices in the development process.

Signs of Infection

Organizations should be vigilant for several signs of infection. If users notice unusual file activity, such as unexpected files on USB drives or unauthorized access to sensitive documents, these could be indicators of BRUSHWORM's presence. Additionally, the keylogger's operation might result in strange behavior in applications where sensitive data is entered.

To detect the malware, IT teams should monitor for scheduled tasks that may have been created without authorization. The malware creates tasks to ensure it runs at startup, which can be a red flag for system administrators.

How to Protect Yourself

To protect against these threats, organizations should implement robust security measures. Here are some recommended actions:

  • Educate Employees: Train staff on the dangers of USB drives and phishing attempts that may lead to malware infections.
  • Use Antivirus Solutions: Ensure that all systems have updated antivirus software that can detect and block known malware signatures.
  • Monitor Network Traffic: Keep an eye on unusual outbound connections, especially to unknown domains, which may indicate C2 communication.
  • Implement Data Loss Prevention (DLP): Use DLP solutions to monitor and control data transfers, especially to removable media.

By taking these proactive steps, organizations can reduce the risk of infection and protect sensitive data from being compromised.

🔒 Pro insight: The simplistic design of BRUSHWORM and BRUSHLOGGER suggests a potential shift towards less sophisticated, yet effective, malware targeting financial institutions.

Original article from

Elastic Security Labs

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Infiniti Stealer - New macOS Infostealer Emerges

A new macOS malware called Infiniti Stealer tricks users into executing malicious commands. This poses serious risks to sensitive data on Macs. Stay safe by avoiding suspicious commands.

Malwarebytes Labs·
HIGHMalware & Ransomware

GhostClaw - New AI Malware Targets macOS for Credential Theft

GhostClaw malware is targeting macOS users through fake GitHub repositories, stealing credentials via social engineering. Developers must verify source integrity to stay safe.

Cyber Security News·
HIGHMalware & Ransomware

Malware Discovered in LiteLLM - Major Security Breach Alert

LiteLLM, a popular AI tool, was infected by malware that stole user credentials. Millions of users are at risk, raising serious security concerns. The developers are actively investigating the breach and working on solutions.

TechCrunch Security·
HIGHMalware & Ransomware

Malware - US Imprisons Russian Botnet Operator for Ransomware

Ilya Angelov, a Russian botnet operator, has been sentenced for his role in ransomware attacks against US companies. This case underscores the ongoing threat of cybercrime. With millions lost to extortion, vigilance is essential for organizations to protect themselves.

SC Media·
HIGHMalware & Ransomware

Malware Attack - Puerto Rico's Driver's License Agency Disrupted

A ransomware attack has disrupted Puerto Rico’s driver's license agency. All services are halted, affecting many residents. Officials are working to ensure data integrity before resuming operations.

SC Media·
HIGHMalware & Ransomware

Malware - Armenian Extradited for RedLine Infostealer Role

An Armenian man has been extradited to the U.S. for his role in the RedLine infostealer scheme. This malware has targeted major corporations, raising significant security concerns. The case underscores the ongoing battle against cybercrime and the need for robust cybersecurity measures.

SC Media·