Hackers Target South Asian Financial Firm with BRUSHWORM and BRUSHLOGGER Attacks

The emergence of bespoke malware like BRUSHWORM reflects a shift toward highly tailored threat actors targeting the financial sector. Unlike off‑the‑shelf ransomware, this toolkit blends a modular backdoor with a DLL side‑loaded keylogger, allowing attackers to maintain long‑term footholds while siphoning documents, spreadsheets, source code, and even credential‑rich email archives. Its reliance on simple anti‑analysis checks—screen resolution, sandbox identifiers, and brief hypervisor delays—makes it easy to evade basic sandbox environments, underscoring the need for deeper endpoint visibility beyond standard SIEM logs.

From a technical standpoint, BRUSHWORM’s persistence hinges on COM‑based scheduled tasks named MSGraphics and MSRecorder, which launch the backdoor and a secondary DLL payload at user logon. The malware’s USB worm component propagates via lure files such as "Salary Slips.exe," rapidly spreading across removable media—a critical vector in banking environments where staff frequently exchange drives. Meanwhile, BRUSHLOGGER’s low‑level keyboard hook captures keystrokes with window titles, storing them in XOR‑encrypted logs under the misspelled "Photoes" directory. Although the encryption is weak, the contextual data it gathers can reveal privileged credentials and transaction approvals, amplifying the potential impact of a breach.

For security teams, the BRUSHWORM/BRUSHLOGGER case highlights several actionable lessons. First, reliance on basic telemetry can miss post‑exploitation activity; deploying advanced endpoint detection and response (EDR) solutions that monitor file system changes, scheduled tasks, and DLL loading patterns is essential. Second, the presence of hard‑coded paths and rudimentary encryption suggests the developers are still experimenting, possibly integrating AI‑generated code without thorough testing—an indicator that the threat may evolve quickly. Continuous threat‑intel monitoring of dynamic DNS usage and VirusTotal submissions can provide early warnings, while regular audits of removable‑media policies and user‑level privileges can mitigate the risk of USB‑borne spread. Proactive hunting for the distinctive "Photoes" folder structure and the MSGraphics task can help organizations neutralize this emerging espionage platform before it exfiltrates critical financial data.