{ "Event": { "analysis": "1", "date": "2026-03-27", "extends_uuid": "", "info": "[Threat Intel] BRUSHWORM and BRUSHLOGGER uncovered", "protected": false, "publish_timestamp": "1775900416", "published": true, "threat_level_id": "3", "timestamp": "1775900416", "uuid": "d1d2ba77-b61e-4ad6-a97e-b9e4c867eba3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"", "relationship_type": "" }, { "colour": "#3eb869", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#3e2e74", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Replication Through Removable Media - T1091\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#17c030", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"034 - Southern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Finance\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609211", "to_ids": false, "type": "link", "uuid": "d7a65980-458c-4b80-b55c-e9461cb052a3", "value": "https://www.elastic.co/security-labs/brushworm-targets-financial-services" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774609211", "to_ids": false, "type": "text", "uuid": "3cfff483-02bc-443e-809a-3a2ac3c74420", "value": "A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774609211", "to_ids": false, "type": "text", "uuid": "1a7ea42e-bb53-4901-83f3-fc2fccbb1a55", "value": "Name: BRUSHWORM and BRUSHLOGGER uncovered\nAuthor: AlienVault\nAdversary: \nTags: [\"keylogger\", \"brushworm\", \"brushlogger\"]\nTgtd countries: []\nMlwr families: [\"BRUSHWORM\", \"BRUSHLOGGER\"]\nAttack_ids: [\"T1053.005\", \"T1056.001\", \"T1025\", \"T1074.001\", \"T1036.005\", \"T1497.001\", \"T1119\", \"T1091\", \"T1140\", \"T1010\", \"T1027\", \"T1574.002\", \"T1105\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1775884394", "to_ids": true, "type": "url", "uuid": "ca009077-a509-41fe-aeca-e2e23e0cd666", "value": "http://resources.dawnnewsisl.com/updtdll", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "IOC-content:rule Windows_Trojan_BrushWorm_7c2098ef {\n meta:\n author = \"Elastic Security\"\n os = \"Windows\"\n arch = \"x86\"\n category_type = \"Trojan\"\n family = \"BrushWorm\"\n threat_name = \"Windows.Trojan.BrushWorm\"\n reference_sample = \"89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7\"\n\n strings:\n $a = \"internetCheckDomain\" wide fullword\n $b = { B8 00 00 00 40 33 C9 0F A2 48 8D ?? ?? ?? 89 07 89 5F 04 89 4F 08 89 57 0C 45 33 C0 }\n condition:\n all of them\n}\nIOC-title:Windows_Trojan_BrushWorm_7c2098ef", "deleted": false, "disable_correlation": false, "timestamp": "1774609211", "to_ids": true, "type": "yara", "uuid": "e311d60c-bf24-4307-a7f4-024658d783fb", "value": "30896513cb0aefc78d0343e76d82b49f4afacf21" }, { "category": "Artifacts dropped", "comment": "IOC-content:rule Windows_Trojan_BrushLogger_304ee146 {\n meta:\n author = \"Elastic Security\"\n os = \"Windows\"\n arch = \"x86\"\n category_type = \"Trojan\"\n family = \"BrushLogger\"\n threat_name = \"Windows.Trojan.BrushLogger\"\n reference_sample = \"4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf\"\n\n strings:\n $a = \"%02d-%02d-%d %02d:%02d \" fullword\n $b = { 81 ?? ?? A1 00 00 00 74 09 81 ?? ?? A0 00 00 00 75 09 6A 00 6A 10 E8 }\n condition:\n all of them\n}\nIOC-title:Windows_Trojan_BrushLogger_304ee146", "deleted": false, "disable_correlation": false, "timestamp": "1774609211", "to_ids": true, "type": "yara", "uuid": "e787d6b1-d095-4f1f-85a3-78c97a1b3bb3", "value": "da2e41f026d2cca001ed584cd22cf4e5e02a8c8f" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884415", "to_ids": true, "type": "url", "uuid": "e1593f67-59fa-40fd-824c-ada4e553c534", "value": "resources.dawnnewsisl.com/updtdll", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775768235", "uuid": "158d3514-54a9-4466-a80f-233709ba6c88", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775768235", "to_ids": false, "type": "text", "uuid": "b1a9b071-de49-448b-b1fe-cce6c401ef27", "value": "Windows_Trojan_BrushLogger_304ee146" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775768235", "to_ids": false, "type": "comment", "uuid": "70bac617-3a45-47c3-8225-2da0e1299cf5", "value": "Windows_Trojan_BrushLogger_304ee146" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775768235", "to_ids": true, "type": "yara", "uuid": "eda0b830-f358-4255-a124-e3dd44d779a3", "value": "rule Windows_Trojan_BrushLogger_304ee146 {\r\n meta:\r\n author = \"Elastic Security\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"BrushLogger\"\r\n threat_name = \"Windows.Trojan.BrushLogger\"\r\n reference_sample = \"4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf\"\r\n\r\n strings:\r\n $a = \"%02d-%02d-%d %02d:%02d \" fullword\r\n $b = { 81 ?? ?? A1 00 00 00 74 09 81 ?? ?? A0 00 00 00 75 09 6A 00 6A 10 E8 }\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775768255", "uuid": "408f654b-f8f8-45c4-bb0b-ca643a18052d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775768255", "to_ids": false, "type": "text", "uuid": "56f8f9ed-962e-43be-9aa2-7b82d9b57f84", "value": "Windows_Trojan_BrushWorm_7c2098ef" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775768255", "to_ids": false, "type": "comment", "uuid": "470f7f67-2741-4c78-8b26-26a749b73e8a", "value": "Windows_Trojan_BrushWorm_7c2098ef" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775768255", "to_ids": true, "type": "yara", "uuid": "fa6f63ff-ee5a-42c6-b597-49ce76271cec", "value": "rule Windows_Trojan_BrushWorm_7c2098ef {\r\n meta:\r\n author = \"Elastic Security\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"BrushWorm\"\r\n threat_name = \"Windows.Trojan.BrushWorm\"\r\n reference_sample = \"89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7\"\r\n\r\n strings:\r\n $a = \"internetCheckDomain\" wide fullword\r\n $b = { B8 00 00 00 40 33 C9 0F A2 48 8D ?? ?? ?? 89 07 89 5F 04 89 4F 08 89 57 0C 45 33 C0 }\r\n condition:\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775884436", "uuid": "2415bf5b-199f-459a-aa5f-97f16318aecf", "Attribute": [ { "category": "Payload delivery", "comment": "BRUSHLOGGER", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775884436", "to_ids": true, "type": "md5", "uuid": "1f3d0471-c95a-4b1f-a7e3-39b2305241e1", "value": "343f12d0fd0198d038756263d39ea80d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BRUSHLOGGER", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884238", "to_ids": true, "type": "sha1", "uuid": "29468f64-5f57-4405-b6a0-612f6468881b", "value": "8edb8c714150ee194ed0e65740c42d9e3171a855", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BRUSHLOGGER", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884238", "to_ids": true, "type": "sha256", "uuid": "29e99a1b-fc1c-4d2e-9cca-26a8fba33b94", "value": "4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881186", "to_ids": true, "type": "ssdeep", "uuid": "7c1cd8e2-0791-4891-be00-0b5918a5fe8e", "value": "3072:epFQszI2l3NOMsJTEsZ+clIL2PNI/JN1G/nrhURIF:ejzk8NL0/Z+AILeNDhURIF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881186", "to_ids": false, "type": "size-in-bytes", "uuid": "c8c9d93d-7f4a-4162-92f6-909a024211ef", "value": "113152" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881186", "to_ids": true, "type": "vhash", "uuid": "7c199f2d-5a88-4d14-90b5-e2f10d50c1e2", "value": "115046655d156078z49jz11zaez7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881186", "to_ids": true, "type": "filename", "uuid": "f3038e86-c3d1-4106-8211-8967e7b701f0", "value": "r8e7qg6ny.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881186", "to_ids": false, "type": "text", "uuid": "a18daa56-a5e3-43b9-bbdc-dd076fc5f8a2", "value": "BRUSHLOGGER\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:48/72\nFirst Submission:2025-09-03T11:38:48.000000+00:00\nLast Submission:2026-04-09T05:45:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775884457", "uuid": "cb8042f0-701c-4587-bf4c-aeae007d978a", "Attribute": [ { "category": "Payload delivery", "comment": "BRUSHWORM", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775884457", "to_ids": true, "type": "md5", "uuid": "69dc5684-e00b-423b-a31e-ab7c9b89d705", "value": "47e091f6cdaafc8104b9ff12da1597c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BRUSHWORM", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884239", "to_ids": true, "type": "sha1", "uuid": "02918ebe-c876-4bdc-a343-8c6281f611a3", "value": "42f63a9beb3468a9e642f8644ffe1852c2d6eb0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BRUSHWORM", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884239", "to_ids": true, "type": "sha256", "uuid": "d02158b7-2c12-49b6-92ca-07b0da56a728", "value": "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881208", "to_ids": true, "type": "ssdeep", "uuid": "d0dbfac8-bc54-45e9-a8b5-96be9b602198", "value": "12288:mCFP238iImhOXJf9y1ZiYhSwD9cE0+hhenK2gWioxtiPG+lTjelQMvWY6u:mzXJhOXJ9gFEwDFmK2gTKtinT3MvW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881208", "to_ids": false, "type": "size-in-bytes", "uuid": "b13c3277-ed60-4c10-a381-aaf0d0311c6a", "value": "1418752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881208", "to_ids": true, "type": "vhash", "uuid": "f331839a-e328-4ba3-b673-29533efd056a", "value": "016076655d156d05155013z32z9d7z4085z1011zbez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881208", "to_ids": true, "type": "filename", "uuid": "1b01a68b-88bf-4085-a535-6abd3aaad5a0", "value": "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881208", "to_ids": false, "type": "text", "uuid": "3f46fc24-5d95-4f4e-b448-d9f93b8e3a6e", "value": "BRUSHWORM\r\nType Description: Win32 EXE\nMicrosoft: Backdoor:Win64/Brushworm.C!MTB\nVT Total Detection:43/72\nFirst Submission:2026-02-11T04:58:24.000000+00:00\nLast Submission:2026-04-09T16:17:51.000000+00:00" } ] } ] } }