A South Asian bank is the latest victim of a targeted cyberattack that used two custom-made malware tools This article explores malware looking infrastructure. . Researchers at Elastic Security Labs found the malware while looking into the infrastructure of the targeted financial institution.
The attack stole files, gave attackers access to the system all the time, and recorded keystrokes in real time. This shows how targeted intrusions are becoming more dangerous for financial organizations all over South Asia. The two parts of the malware were sent as separate binaries, which looks like it was done on purpose. Even though the attack was aimed at a specific target, neither binary used useful code obfuscation, packing, or advanced protective methods.
The code quality as a whole was very bad. For example, BRUSHWORM writes its decrypted configuration to disk in cleartext, makes an encrypted copy, and then deletes the original.
Researchers are fairly sure that the person who made the malware is not very experienced and may have used AI code-generation tools while making it. Security teams should limit the running of unsigned binaries and keep a close eye on any strange scheduled task creation. Using endpoint detection tools that also watch USB activity can stop BRUSHWORM from spreading to more removable media before it does.
It is also important to check how DLLs are loaded on all endpoints to catch side-loading attempts like those used by BRUSHLOGGER. YARA rules can be used to find both BRUSH WORM and BRUSHLOGGER on both endpoints and networks. To learn more about how to keep your computer safe from the BRushWORM threat and how to use the YARA rule to find and stop the BRUShlOGGER threat, click here.
Go to the ZeroOwl Security Blog and ZeroOwl.co.uk for more information. If you need private help, you can call the Samaritans at 08457 90 90 90, go to a nearby branch, or click here for more information.
