An evolving malware threat that began with a campaign targeting people in Poland exclusively, has now expanded to include targets in a number of different countries as well as new functionality intended to get around detection systems and hit a larger number of potential victims.
The threat is known as Brushaloader and it is used as a first-stage component to load other pieces of malware. Typically it’s been seen loading the DanaBot malware, a complex banking trojan that can steal; banking credentials in a number of ways an inject malicious processes into the victim’s browser. Researchers with Cisco’s Talos Group have been tracking the Brushaloader threat since it emerged in the middle of 2018 and have seen a spike in the volume of phishing messages containing the loader in recent months and also a change in the target demographics.
The first campaigns involving Brushaloader targeted Polish speakers and used a fake invoice as the lure. The attachment would typically be a RAR file with embedded VBscript that was capable of downloading and installing the Brushaloader component, which in turn, would install the DanaBot malware. The attackers behind the campaign used simple phishing techniques to entice victims to open the attachment, specifically the use of the Polish word for “invoice”. This is a mirror image of the way that many English-language financial phishing campaigns work, using phony invoices or purchase orders as the bait.
“The script itself already had some interesting techniques associated with sandbox or network simulation evasion, which we will discuss later in the blog. It wasn't too heavily obfuscated and was clean and efficient at establishing command and control (C2) communication with a hard coded IP address via HTTP using wscript,” a new Talos analysis of the Brushaloader campaign says.
“Over time a pattern started to emerge and the campaigns would run for a week or two and then go quiet for a couple weeks before restarting. The modus operandi for the actor was largely the same throughout, Polish language spam campaigns related to invoices or Faktura that contained a RAR file with malicious VBScript inside. One thing of note about these campaigns is in the downtime changes and improvements were being made to the way the VBScript tries to evade detection and analysis or the ways in which the C2 communication was established.”
As the months went by, the operators of the campaigns began to shift tactics and improve the malware they were delivering. To begin with, the operators added some functionality to evade network simulation, specifically a function that would check in with a non-existent domain and then go into a recursive loop if that request was successful.
“This is an elegant, simple way to determine if network simulation is occurring and stopping execution. These simple techniques can be incredibly effective at avoiding some types of detection and analysis,” the Talos analysis says.
That check continued to evolve over the course of the fall, and the Brushaloader operators also began targeting different victim groups, such as German and Italian speakers. The Brushaloader threat itself also continued to evolve, including a change to the VBscript that allowed the attackers to read and write files on disk on compromised machines. A campaign that began in January implemented these changes and also featured some other modifications.
“One of the biggest changes in this campaign was the move toward powershell and away from wscript that was previously used to execute commands, gather system information, and provide additional payloads. Additionally, this campaign was on a scale we previously hadn't seen from Brushaloader and could be an indicator the loader may be ready for a more wide distribution, with the potential to have reach outside of just Europe,” the Talos researchers said.
That campaign ended earlier this month but the Talos team expects development of the Brushaloader threat to continue, especially given how quickly it has evolved in its short life.