Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER

Key Takeaways

• A South Asian financial institution was targeted with two custom malware components: BRUSHWORM and BRUSHLOGGER.
• BRUSHWORM acts as a modular backdoor with USB worm propagation, extensive file theft capabilities, and scheduled task persistence.
• BRUSHLOGGER uses DLL side-loading to masquerade as libcurl.dll, capturing system-wide keystrokes and window contexts.
• The malware exhibits air-gap bridging capabilities by copying stolen files to removable USB drives when no internet connection is detected.
• The malware author appears relatively inexperienced, leaving cleartext configurations and using free dynamic DNS for testing versions.

Affected Systems

• Windows

Attack Chain

The attack begins with the execution of BRUSHWORM (paint.exe), which performs basic anti-analysis checks before establishing persistence via a scheduled task named MSGraphics. BRUSHWORM communicates with a C2 server to download additional payloads like Recorder.dll, while also spreading via USB drives and staging stolen documents. Concurrently, BRUSHLOGGER is executed via DLL side-loading (masquerading as libcurl.dll), capturing keystrokes and window contexts into XOR-encrypted log files. In air-gapped environments, BRUSHWORM bridges the gap by copying stolen data directly to infected removable USB drives.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: YARA

The article provides YARA rules to detect both BRUSHWORM and BRUSHLOGGER components in memory or on disk.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily detect scheduled task creation, DLL side-loading, abnormal file writes to Public directories, and suspicious child processes. Network Visibility: Medium — C2 communication uses standard HTTP GET requests, but the payload download URI (/updtdll) and specific domain can be monitored. SSL is used via Let's Encrypt. Detection Difficulty: Moderate — While the malware lacks advanced obfuscation, its use of legitimate-looking scheduled tasks and DLL side-loading requires behavioral correlation to detect reliably.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Scheduled Task Creation (Event ID 4698)
• Image Load (Sysmon 7)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for scheduled tasks created with names like 'MSGraphics' or 'MSRecorder' executing binaries from unusual paths like C:\ProgramData\Photoes.	Windows Event 4698 (Scheduled Task Created)	Persistence	Low
Identify processes writing files with the .trn extension in C:\ProgramData\Photoes\ or similar hidden directories.	File Creation Events (Sysmon 11)	Collection	Low
Detect rundll32.exe executing DLLs from C:\Users\Public\Libraries.	Process Creation (Sysmon 1)	Execution	Low
Monitor for rapid file enumeration and copying to removable media, especially executables masquerading as documents (e.g., Salary Slips.exe).	File Creation Events on Removable Drives	Lateral Movement	Medium

Control Gaps

• Air-gapped network protections (malware bridges air gaps via USB)

Key Behavioral Indicators

• Misspelled directory 'Photoes'
• Mutex 'Windows-Updates-KB852654856'
• File 'hashconfig' in NuGet Roaming AppData

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block the C2 domain resources.dawnnewsisl[.]com.
• Search endpoints for the presence of the 'Photoes' directory in C:\ProgramData.
• Isolate systems exhibiting the identified scheduled tasks (MSGraphics, MSRecorder).

Infrastructure Hardening

• Restrict or disable the use of removable USB storage devices via GPO.
• Implement application control to prevent execution of unsigned binaries from C:\Users\Public\ and C:\ProgramData.

User Protection

• Deploy EDR rules to monitor for DLL side-loading of libcurl.dll.
• Ensure AV signatures are updated to detect BRUSHWORM and BRUSHLOGGER hashes.

Security Awareness

• Train employees to recognize socially engineered executable files on USB drives (e.g., 'Salary Slips.exe').

MITRE ATT&CK Mapping

• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1056.001 - Input Capture: Keylogging
• T1027 - Obfuscated Files or Information
• T1140 - Deobfuscate/Decode Files or Information
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1074.001 - Data Staged: Local Data Staging
• T1091 - Replication Through Removable Media
• T1119 - Automated Collection
• T1025 - Data from Removable Media
• T1010 - Application Window Discovery
• T1105 - Ingress Tool Transfer
• T1036.005 - Masquerading: Match Legitimate Name or Location

Additional IOCs

• Domains:
  • resources[.]dawnnewsisl[[.]]com - C2 server domain
• File Paths:
  • C:\Users\Public\Libraries\ - Storage directory for downloaded modules from the C2 server (e.g., Recorder.dll)
  • C:\Users\Public\AppData\Roaming\Microsoft\Vault\keyE.dat - Storage path for the encrypted configuration file
  • C:\Users\Public\Systeminfo\ - Staging directory for stolen files prior to exfiltration
  • C:\Users\Public\AppData\Roaming\NuGet\hashconfig - Tracking file that records exfiltrated file paths and their SHA-256 hashes
  • C:\programdata\Photoes\<username>_<MD5(username)>.trn - Log file path for BRUSHLOGGER keystroke captures
• Command Lines:
  • Purpose: Execute downloaded DLL payload via scheduled task | Tools: rundll32.exe, schtasks.exe | Stage: Execution | rundll32.exe
• Other:
  • MSGraphics - Scheduled task name used for BRUSHWORM persistence
  • MSRecorder - Scheduled task name used to execute the downloaded DLL payload
  • Salary Slips.exe - Socially engineered filename used for USB worm propagation