Hackers Target South Asian Financial Firm with BRUSHWORM and BRUSHLOGGER Attacks
A South Asian financial institution faced compromise due to a custom malware toolkit combining a modular backdoor (BRUSHWORM) and a DLL side-loaded keylogger (BRUSHLOGGER).
Attackers utilized a backdoor initially named paint.exe and a keylogger posing as libcurl.dll, both lacking advanced packing or obfuscation.
BRUSHWORM operates as the primary implant, handling installation, persistence, command-and-control (C2), modular payload loading, USB worm behavior, and bulk theft of files across critical business formats.
BRUSHLOGGER complements this by recording global keystrokes with context, providing attackers detailed insights into user activity on compromised hosts.
Elastic Security Labs observed the intrusion during an investigation where the victim environment exposed only SIEM-level telemetry, limiting visibility into post-exploitation activity.
Investigators also identified multiple earlier testing builds on VirusTotal, with filenames like V1.exe, V2.exe, and V4.exe, some configured to use free dynamic DNS services.
These iterations, along with coding errors and an unused encrypted configuration schema, indicate an inexperienced developer likely experimenting and refining the toolset over time.
BRUSHWORM backdoor behavior
Execution begins with basic anti-analysis checks, such as verifying screen resolution below 1024×768 pixels (causing immediate termination), checking usernames/hostnames for “sandbox”, and querying CPUID hypervisor vendor strings.
Rather than halting on hypervisor detection, the malware briefly sleeps before proceeding. It further validates human activity by monitoring mouse movement over five minutes.
The implant creates hardcoded hidden directories: C:\ProgramData\Photoes\Pics\ for its main binary, C:\Users\Public\Libraries\ for downloaded modules, and C:\Users\Public\Systeminfo\ for staging exfiltrated data, consistently misspelling “Photos” as “Photoes”.
Configuration data is stored as JSON encrypted via AES-CBC, using a hardcoded key and per-field initialization vector prepended to each blob.
After decryption, the structure defines fields like internetCheckDomain, downloadDomain, and retryCount, but these are unused in the active code path. The real C2 endpoint is stored separately as a cleartext global string referencing /updtdll on the attacker-controlled host.
Persistence uses a COM-based scheduled task named MSGraphics running the backdoor at user logon, and a second task, MSRecorder, using rundll32.exe to execute a downloaded Recorder.dll payload from the Libraries directory.
Although the retrieved module wasn’t recovered, its naming and execution model suggest a plugin architecture, likely for features like screen capture or additional data theft.
BRUSHWORM’s USB worm and collection logic make it particularly dangerous in financial environments.

When internet connectivity is available, the backdoor simultaneously infects removable drives using lure filenames like Salary Slips.exe and Presentation.exe, and harvests files with a wide range of extensions covering documents, spreadsheets, presentations, email archives, and source code. Staging occurs under Systeminfo while tracking SHA-256 hashes in a NuGet subdirectory to prevent duplicate exfiltration.
BRUSHLOGGER keylogger
BRUSHLOGGER is a 32-bit DLL built for DLL side-loading under libcurl.dll, exposing inert stubs for curl_easy_* exports while executing malicious logic from DllMain during process attachment.
At startup, it decodes a mutex identifier resembling a Windows Update KB reference to enforce a single running instance. It then derives a per-user log file name under C:\ProgramData\Photoes\ using the username and MD5 hash.
The keylogger installs a global low-level keyboard hook (WH_KEYBOARD_LL) via SetWindowsHookExA and maintains a standard Windows message loop to keep the hook active.
For each keystroke, BRUSHLOGGER records the active window handle, retrieves the window title, and tags sequences of key events with timestamps and window names for contextual recording.
Keys are logged as two-digit hexadecimal virtual key codes, buffered and periodically flushed.

Before disk writing, the buffer is XOR-encrypted byte-by-byte with a static 0x43 key and appended to the .trn log file, offering superficial obfuscation rather than robust cryptographic protection.
Elastic Security Labs assesses with moderate confidence the developer is actively iterating on these tools, potentially incorporating AI-generated code without full validation, while monitoring related C2 infrastructure.
Despite unsophisticated implementation and coding errors, BRUSHWORM and BRUSHLOGGER deliver a capable collection platform for financially focused espionage or data theft operations.
The toolset combines scheduled-task persistence, modular DLL loading, aggressive document and source-code theft, USB-based propagation, and stealthy keystroke capture via DLL side-loading under a legitimate library name.