The tenacious loader malware called Brushaloader is growing more menacing, showing no signs of abatement despite best efforts by security professionals. First identified in June 2018, the Brushaloader malware is now more pervasive, stealthy and growing in popularity faster than ever before.

New insights come from Proofpoint, which said on Monday that threat actors are increasingly turning to loader malware and targeting PCs to deliver a number of different malware payloads, such as the versatile DataBot. The goal is to use Brushaloader as a springboard to infect systems quietly in order to deliver more aggressive secondary-stage payloads.

Researchers said loader malware, sometimes called dropper malware, is becoming a more popular tool for adversaries. While loaders lack the panache of more aggressive attacks, their virtue to criminals is the stealth in which they operate.



“Malware like BrushaLoader contributes to the ongoing trend of ‘quality over quantity’ infections — and enables threat actors to better stay under the radar than they can with highly disruptive infections like ransomware, or when distributing massive malicious spam campaigns with high-profile malware as their primary payload,” Proofpoint wrote.

Since first being detected by Cisco Talos last year, Brushaloader has maintained a simplistic but highly effective infection technique leveraging spam campaigns. Brushaloader hides in malicious compressed-Microsoft Visual Basic Scripting Edition (VBScript) attachments. “Despite requiring several user interactions, the actors were able to ensnare more than 4,000 computers in 36 hours,” Proofpoint said of one particular two-day campaign.

According to researchers, the financially motivated threat actor TA544 is one of several adversaries distributing Brushaloader. In a 2017, an analysis of TA544 by Proofpoint, found that the group targeted victims in Western Europe and Japan with mostly six malware families including the Ursnif and URLZone banking trojans. It’s unclear if TA544 has deviated from targeting those geographic locations with its most recent campaigns.

Despite operational changes, the backend remains intact. Researchers said the command-and-control (C2) and infection modus operandi is the same. The means of infection is still spam. Once the foothold has been established, Brushaload calls out to C2 servers where it receives a PowerShell script called PowerEnum.

Next, PowerEnum performs a system fingerprinting, to ensure the targeted system is a ripe target, and then the payloads are pulled from a Google Drive account. Payloads include the banking trojans DataBot and Nymaim along with malware Gootkit, Ursnif and Narwhal Spider.

“We have observed it in multiple geographies and a variety of campaigns. Moreover, insights from the command and control panel suggest high infection success rates for the loader, enabling deployment of a range of payloads by actors using the malware,” said researchers.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More