Malware Alert - Elastic Security Labs Uncovers BRUSHWORM
Basically, two types of malware were found that steal data and spread through USB drives.
Elastic Security Labs has discovered two new malware types, BRUSHWORM and BRUSHLOGGER, targeting a South Asian financial institution. These threats use USB drives to spread and steal sensitive data. Organizations must act swiftly to mitigate risks and protect their data.
What Happened
Recently, Elastic Security Labs uncovered two custom malware components targeting a South Asian financial institution. These components, named BRUSHWORM and BRUSHLOGGER, pose significant threats to data security. BRUSHWORM acts as a modular backdoor, while BRUSHLOGGER functions as a keylogger. The malware was discovered during an investigation where the victim's infrastructure had only minimal visibility, making it challenging to track malicious activities.
BRUSHWORM is designed to establish persistence, communicate with command-and-control (C2) servers, and exfiltrate sensitive files. It spreads through removable media, making it particularly dangerous in environments where USB drives are commonly used. Meanwhile, BRUSHLOGGER captures keystrokes, providing attackers with access to sensitive information such as passwords and confidential communications.
Who's Being Targeted
The primary target of this malware is a South Asian financial institution. This sector is often a lucrative target due to the sensitive financial data it handles. The malware's ability to spread via USB drives increases the risk, especially in corporate environments where employees frequently use portable storage devices.
The malware's design indicates that it was likely developed by an inexperienced author, as evidenced by coding mistakes and the use of free dynamic DNS infrastructure for testing versions. This suggests a potential lack of thorough security practices in the development process.
Signs of Infection
Organizations should be vigilant for several signs of infection. If users notice unusual file activity, such as unexpected files on USB drives or unauthorized access to sensitive documents, these could be indicators of BRUSHWORM's presence. Additionally, the keylogger's operation might result in strange behavior in applications where sensitive data is entered.
To detect the malware, IT teams should monitor for scheduled tasks that may have been created without authorization. The malware creates tasks to ensure it runs at startup, which can be a red flag for system administrators.
How to Protect Yourself
To protect against these threats, organizations should implement robust security measures. Here are some recommended actions:
- Educate Employees: Train staff on the dangers of USB drives and phishing attempts that may lead to malware infections.
- Use Antivirus Solutions: Ensure that all systems have updated antivirus software that can detect and block known malware signatures.
- Monitor Network Traffic: Keep an eye on unusual outbound connections, especially to unknown domains, which may indicate C2 communication.
- Implement Data Loss Prevention (DLP): Use DLP solutions to monitor and control data transfers, especially to removable media.
By taking these proactive steps, organizations can reduce the risk of infection and protect sensitive data from being compromised.