Cyberattack on South Asian Financial Firm Using BRUSHWORM and BRUSHLOGGER Malware

Severity: Medium (Score: 48.9)

Sources: Gbhackers, Cybersecuritynews

Summary

A South Asian financial institution has been targeted by a cyberattack utilizing two custom malware tools: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger disguised as a trusted system file. The attack involved file theft and real-time keystroke capture, indicating a sophisticated approach to data exfiltration. The malware was deployed through a backdoor named paint.exe and a keylogger masquerading as libcurl.dll, both of which did not employ advanced packing or obfuscation techniques. This incident highlights the increasing risks faced by financial organizations in the region. The specific impact on the institution's operations and data integrity remains unclear. As of now, there are no reports of a patch or mitigation strategy being implemented. The attack underscores the need for enhanced cybersecurity measures in the financial sector. Key Points: • The attack involved BRUSHWORM and BRUSHLOGGER malware targeting a financial institution. • BRUSHWORM acts as a backdoor while BRUSHLOGGER captures keystrokes. • The malware was not obfuscated, making detection potentially easier.

Key Entities

• Malware (attack_type)
• Financial (industry)
• Brushlogger (malware)
• Brushworm (malware)
• T1056.001 - Keylogging (mitre_attack)
• T1056 - Input Capture (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)
• Libcurl.dll (tool)
• Paint.exe (tool)