Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER

MITRE Techniques

• [T1053.005 ] Scheduled Task/Job – Used to maintain persistence and execute payloads (‘creates a Windows scheduled task named MSGraphics through the COM Task Scheduler interface’ and ‘MSRecorder that uses rundll32.exe to load and run it’).
• [T1574.001 ] DLL Search Order Hijacking / DLL Side-Loading – BRUSHLOGGER masquerades as libcurl.dll to execute malicious code via DLL side-loading (‘masquerades as libcurl.dll by exporting seven standard curl_easy_* API functions’ and ‘malicious functionality executes entirely from the DllMain entry point’).
• [T1218.011 ] Signed Binary Proxy Execution: rundll32.exe – The backdoor runs downloaded DLL modules by invoking rundll32.exe to load Recorder.dll (‘The downloaded DLL is executed by creating a second scheduled task named MSRecorder that uses rundll32.exe to load and run it’).
• [T1056.001 ] Input Capture: Keylogging – BRUSHLOGGER installs a system-wide low-level keyboard hook to capture keystrokes and window context (‘SetWindowsHookExA(WH_KEYBOARD_LL, keyboard_hook_callback, NULL, 0);’ and ‘retrieves the foreground window handle via GetForegroundWindow’).
• [T1052 ] Exfiltration Over Physical Medium – BRUSHWORM copies stolen files to removable drives when network access is unavailable to physically remove data from air-gapped or restricted environments (‘it additionally copies stolen files and files from the user’s profile directory … to the removable drives’).
• [T1105 ] Ingress Tool Transfer – The backdoor downloads modular payloads from its C2 using WinHTTP to retrieve DLLs (‘uses the WinHTTP library to issue a GET request to the C2 server at the URI /updtdll to download a DLL payload’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication and payload retrieval occur over HTTP(S) to a web-hosted endpoint (‘C2 server at the URI /updtdll to download a DLL payload’ and ‘The C2 server’s SSL certificate is issued by Let’s Encrypt’).
• [T1497.001 ] Virtualization/Sandbox Evasion: Check for Virtualization/Sandbox – The malware performs environment checks including screen resolution, username/computer name, CPUID hypervisor checks, and mouse activity to detect analysis environments (‘Screen resolution check: If the display resolution is less than 1024×768 pixels, execution terminates’ and ‘the malware checks whether the machine’s username or the computer name is “sandbox”’).
• [T1005 ] Data from Local System – BRUSHWORM enumerates and collects a wide range of document, spreadsheet, email archive, archive, and code file types from local and removable storage for staging and exfiltration (‘stolen files are staged in the C:UsersPublicSysteminfo directory’ and targets extensions such as .docx, .xlsx, .pst, .zip, .py, etc.).