Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Elastic Security Labs uncovered two custom malware families, BRUSHWORM and BRUSHLOGGER, used against a financial institution in South Asia. BRUSHWORM is a modular backdoor that maintains persistence through a scheduled task, propagates via removable media, and steals files across a wide range of extensions. BRUSHLOGGER is a DLL side-loaded keylogger that captures keystrokes together with active window context and saves the logs in XOR-encrypted form. Both malware samples appear relatively low in sophistication and show signs of ongoing trial-and-error development.
Investigation
During the investigation, analysts recovered the backdoor executable paint.exe and the side-loaded keylogger DLL libcurl.dll, then examined their persistence methods, configuration logic, USB spread behavior, and data staging directories. Older development builds such as V1.exe, V2.exe, and V4.exe were also found on VirusTotal, where they were linked to free dynamic DNS infrastructure for command and control. The report further documented the malware’s scheduled tasks, mutex, and file path conventions.
Mitigation
Defenders should prevent execution of unknown binaries from ProgramData and Public paths, monitor creation of scheduled tasks named MSGraphics or MSRecorder, and detect the mutex Windows-Updates-KB852654856. Organizations should also disable or restrict autorun from removable media and inspect suspicious lure-style filenames. Logging and inspection of WinHTTP traffic to the identified C2 domain should be enforced.
Response
If BRUSHWORM or BRUSHLOGGER activity is detected, isolate the endpoint, preserve the paint.exe and libcurl.dll samples, capture scheduled task evidence, and remove malicious files from all user and public directories. Investigators should also scan removable drives for lure binaries, delete the staged exfiltration folder, reset affected credentials, and monitor for any additional payload retrieval from the C2 server.
"graph TB %% Class definitions section classDef technique fill:#cfe2f3 %% Node definitions exec_check["<b>Technique</b> – T1497.002 Virtualization/Sandbox Evasion:<br/>Checks for user activity, screen resolution, username, computer name, hypervisor CPUID strings and mouse movements to abort in analysis environments."] class exec_check technique persistence_task["<b>Technique</b> – T1053 Scheduled Task/Job:<br/>Creates a Windows scheduled task named MSGraphics that runs the backdoor at each user logon."] class persistence_task technique c2_contact["<b>Technique</b> – T1071 Application Layer Protocol:<br/>Backdoor contacts its C2 server over HTTPS using WinHTTP."] class c2_contact technique encrypted_channel["<b>Technique</b> – T1573 Encrypted Channel:<br/>Establishes an encrypted channel to download additional modules."] class encrypted_channel technique shared_module["<b>Technique</b> – T1129 Shared Modules:<br/>Downloads a DLL payload (Recorder.dll) from the C2 server."] class shared_module technique second_task["<b>Technique</b> – T1053 Scheduled Task/Job:<br/>Creates a second scheduled task that launches Recorder.dll via rundll32.exe."] class second_task technique dll_side["<b>Technique</b> – T1574.001 DLL Side-Loading:<br/>Malicious libcurl.dll is sideu2011loaded to hijack execution flow."] class dll_side technique keylogging["<b>Technique</b> – T1056.001 Keylogging:<br/>DllMain installs a lowu2011level keyboard hook to capture keystrokes, window titles and timestamps."] class keylogging technique obfuscation["<b>Technique</b> – T1027 Obfuscated Files or Information:<br/>Log files are XORu2011encrypted; configuration data is written in cleartext then deleted."] class obfuscation technique local_staging["<b>Technique</b> – T1074.001 Local Data Staging:<br/>Collected files are copied to C:\Users\Public\Systeminfo and a hash log is kept to avoid duplicate exfiltration."] class local_staging technique usb_propagation["<b>Technique</b> – T1092 Communication Through Removable Media:<br/>When Internet is reachable, the malware copies itself to attached USB drives using lure filenames."] class usb_propagation technique usb_data_exfil["<b>Technique</b> – T1025 Data from Removable Media:<br/>Continues file theft from the USB drives."] class usb_data_exfil technique physical_exfil["<b>Technique</b> – T1052.001 Exfiltration Over Physical Medium:<br/>If no Internet, stolen files are copied onto removable media for physical exfiltration."] class physical_exfil technique %% Connections showing flow exec_check –>|triggers| persistence_task persistence_task –>|executes| c2_contact c2_contact –>|establishes| encrypted_channel c2_contact –>|downloads| shared_module shared_module –>|creates| second_task second_task –>|launches| dll_side dll_side –>|loads| keylogging keylogging –>|produces| obfuscation obfuscation –>|stores| local_staging local_staging –>|copies to| usb_propagation usb_propagation –>|exfiltrates from| usb_data_exfil local_staging –>|uses for| physical_exfil "
Attack Flow
Detections
Suspicious Scheduled Task (via audit)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Dll dropped to uncommon location (via file_event)
View
Suspicious Files in Public User Profile (via file_event)
View
IOCs (HashSha256) to detect: Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER
View
BRUSHWORM Backdoor C2 Communication Detection [Windows Network Connection]
View
Detection of Paint.exe and Rundll32.exe Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker has obtained a malicious DLL (evil.dll) that, when executed viarundll32.exe, drops a ransomware payload and writes encrypted data to a USB drive. To avoid suspicion, the attacker first usespaint.exeto create a benign‑looking image on the removable media, then usesrundll32.exeto load the malicious DLL hidden in the same directory. Both actions generate process‑creation events that match the Sigma rule. -
Regression Test Script:
# ------------------------------ # Simulation of Paint + Rundll32 abuse # ------------------------------ # 1. Create a temporary working directory $workDir = "$env:TEMPPaintRundllSim" New-Item -ItemType Directory -Path $workDir -Force | Out-Null # 2. Copy a legitimate image to the USB (simulated by $workDir) $imagePath = Join-Path $workDir "innocent.png" Invoke-WebRequest -Uri "https://via.placeholder.com/150" -OutFile $imagePath # 3. Launch Paint to open the image (benign usage – still matches rule) Start-Process -FilePath "$env:WINDIRsystem32mspaint.exe" -ArgumentList "`"$imagePath`"" -PassThru | Out-Null # 4. Drop a malicious DLL (simulated; real payload would be covert) $dllPath = Join-Path $workDir "evil.dll" $dllBytes = [byte[]] (0x4D,0x5A,0x90,0x00) # Minimal PE header placeholder [IO.File]::WriteAllBytes($dllPath, $dllBytes) # 5. Execute the DLL via Rundll32 (this is the malicious step) Start-Process -FilePath "$env:WINDIRsystem32rundll32.exe" ` -ArgumentList "`"$dllPath`,EntryPoint`"" -PassThru | Out-Null # 6. Pause to allow SIEM ingestion Write-Host "Simulation executed. Wait ~30s for logs to appear in SIEM." -
Cleanup Commands:
# Remove temporary files and processes Stop-Process -Name mspaint -ErrorAction SilentlyContinue Stop-Process -Name rundll32 -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPPaintRundllSim" -Recurse -Force Write-Host "Cleanup completed."