A South Asian financial institution has been hit by a custom malware toolkit combining a modular backdoor, dubbed BRUSHWORM, and a DLL side‑loaded keylogger known as BRUSHLOGGER.
The attackers relied on a backdoor initially named paint.exe and a keylogger masquerading as libcurl.dll, both of which lacked advanced packing or obfuscation.
BRUSHWORM acts as the primary implant, handling installation, persistence, command-and-control (C2), modular payload loading, USB worm behavior, and bulk file theft across business-critical formats.
BRUSHLOGGER complements this by recording system-wide keystrokes with per-window context, providing the actor with detailed insight into user activity on compromised hosts.
Elastic Security Labs observed the intrusion during an investigation where the victim environment exposed only SIEM-level telemetry, limiting visibility into post-exploitation activity.
Investigators also identified multiple earlier testing builds on VirusTotal, with filenames such as V1.exe, V2.exe, and V4.exe, some of which were configured to use free dynamic DNS services.
These iterations, along with coding mistakes and an unused encrypted configuration schema, suggest an inexperienced developer likely experimenting and refining the toolset over time.
BRUSHWORM backdoor behavior
On execution, BRUSHWORM performs a series of basic anti-analysis checks, including verifying minimum screen resolution, looking for usernames or hostnames containing “sandbox”, and querying CPUID hypervisor vendor strings for common virtualization platforms.
Screen resolution check the display resolution is less than 1024×768 pixels, execution terminates immediately. This is a common sandbox detection technique.
Rather than aborting when a hypervisor is detected, the malware sleeps briefly before continuing, and it further validates human activity by monitoring mouse movement over a five-minute window.
The implant then creates a set of hardcoded hidden directories, such as C:ProgramDataPhotoesPics for its main binary, C:UsersPublicLibraries for downloaded modules, and C:UsersPublicSysteminfo for staging exfiltrated data, consistently using the misspelling “Photoes” across components.
Configuration data is stored as JSON with fields encrypted via AES-CBC, using a hardcoded key and per-field IV prepended to each blob.
Once decrypted, the structure defines fields such as internetCheckDomain, downloadDomain, and retryCount, but these are not used in the active code path, while the real C2 endpoint is stored separately as a cleartext global string referencing a /updtdll path on the attacker-controlled host.
Persistence is implemented through a COM-based scheduled task named MSGraphics that runs the backdoor at user logon, and a second task, MSRecorder, uses rundll32.exe to execute a downloaded Recorder.dll payload from the Libraries directory.
Although the retrieved module was not recovered, its naming and execution model point to a plugin architecture, likely for features such as screen capture or additional data theft.
BRUSHWORM’s USB worm and collection logic make it particularly dangerous in financial environments.
When internet connectivity is available, the backdoor simultaneously infects removable drives using lure filenames like Salary Slips.exe and Presentation.exe and harvests files with a wide range of extensions covering documents, spreadsheets, presentations, email archives, and source code, staging them under Systeminfo while tracking SHA-256 hashes in a NuGet subdirectory to prevent duplicate exfiltration.
BRUSHLOGGER keylogger
BRUSHLOGGER is a 32-bit DLL built for DLL side-loading under the libcurl.dll name, exposing a small set of curl_easy_* exports as inert stubs while executing its malicious logic from DllMain during process attachment.
At startup, it decodes a mutex identifier resembling a Windows Update KB reference to enforce a single running instance, then derives a per-user log file name under C:ProgramDataPhotoes using the username and its MD5 hash.
The keylogger installs a global low-level keyboard hook (WH_KEYBOARD_LL) with SetWindowsHookExA and maintains a standard Windows message loop to keep the hook active across the system.
For each captured keystroke, BRUSHLOGGER records the active window handle, retrieves the window title, and tags sequences of key events with timestamps and window names to preserve context around user actions.
Keys are logged as two-digit hexadecimal virtual key codes, which are buffered and periodically flushed.
Before writing to disk, the buffer is XOR-encrypted byte-by-byte with a static 0x43 key and appended to the .trn log file, offering only superficial obfuscation instead of real cryptographic protection.
Elastic Security Labs assesses with moderate confidence that the developer is still actively iterating on these tools and may have incorporated AI-generated code without fully validating the resulting logic, and the team continues to monitor related C2 infrastructure.
Despite the unsophisticated implementation and apparent coding errors, BRUSHWORM and BRUSHLOGGER together deliver a capable collection platform for financially focused espionage or data theft operations.
The toolset combines scheduled-task persistence, modular DLL loading, aggressive document and source-code theft, USB-based propagation, and stealthy keystroke capture via DLL side-loading under a legitimate library name.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
