Brushaloader
Brushaloader is a Remote Access Trojan (or RAT) and Trojan downloader that grants remote attackers the ability to deliver and execute commands, including downloading and installing other threats. Brushaloader infections have a close relationship with the banking Trojan, Danabot, which can mine for cryptocurrency or collect your credentials. The users can monitor e-mails for possible infection attempts and use their anti-malware solutions for deleting Brushaloader and its accompanying threats.
Trojans Coming Back Out of the Brush
After hibernating between the crossover from 2018 to 2019 briefly, Brushaloader appears again, with many of the same techniques as its prior attacks made use of against victims in Poland and Germany. New infections are targeting Italian PC users, and malware researchers continue estimating business sector targets as being at the most risk of an attack. While Brushaloader's threat actors are productive regarding updating the program, most of the Trojan's core attacks are stable between its old and new versions.
Infection vectors among Brushaloader's versions are consistent remarkably, and almost always use corrupted e-mail messages that reference an invoice, legal action regarding billing errors or other, finance-related problems. This tactic uses the native language of specific, targeted companies in various European countries, and carries a RAR archive-based installation exploit for Brushaloader. In another, especially unusual inclusion, malware experts can verify the creation of a Fibonacci sequence-displaying pop-up during the installing routine, which, since it requires the user's input, could be an anti-AV technique.
Brushaloader's C&C infrastructure can vary wildly depending on the strain that's compromising the PC. The latest iterations use PowerShell, rather than the old script implementation, for processing and executing commands from the remote attacker. These instructions could include harvesting system information, along with dropping other threats, of which, Brushaloader shows a consistent predisposition towards deploying Danabot – a password collector and cryptocurrency miner.
Stopping a Load of Software that You Don't Need
Other than the Windows pop-up with its mathematical reference, Brushaloader has few or no symptoms. Systems with PowerShell or network traffic-logging features, such as those on offer by various cyber-security products, could monitor its behavior, theoretically. Malware analysts, also, confirm Brushaloader's routine use of other additional anti-security features for hiding its identity and avoiding analysis-oriented environments (such as sandboxes).
The formatting of the e-mail messages in different stages of Brushaloader's campaign is exceptional for its consistency. Most letters will include the term 'faktura,' for Polish or German victims, or 'Fattura,' for Italian ones, with likely equivalents for other nationalities concerning invoice or billing-based subjects. The Brushaloader's obfuscation is relatively primitive, and most anti-malware programs should be capable of blocking the attachment as unsafe or remove Brushaloader afterward, in case of a successful installation.
Updates to Brushaloader's Command & Control methodology arrive every one or two weeks, with accompanying swaps in domain references, Registry-reading behavior, and other traits. While these technicalities change little about how it harms its victims, they show that this Black Hat development team is in it for the long haul.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.