⚠️ Overview

BrushaLoader (also tracked as Brushaloader, Brusha Loader) is a lightweight but modular malware loader first documented by the cybersecurity firm SEKOIA.IO (now part of Orange Cyberdefense) in a public report from November 2022. It is categorized as a malware loader — a first-stage payload used to deliver secondary malware, such as information stealers (e.g., RedLine, Vidar), ransomware, or remote-access tools, onto compromised Windows systems. The tool is primarily used by Russian-speaking threat actors and is offered as Malware-as-a-Service (MaaS) on underground forums; while the original developers remain unnamed, SEKOIA attributed BrushaLoader to a cluster tracked as TA569 (or “TEMP.BeatDrop” by some vendors) based on overlaps in command-and-control infrastructure.

🔧 Technical Capabilities

BrushaLoader employs a multi-stage execution chain. The initial infection vector is typically a malicious Microsoft Office document containing obfuscated VBA macros, a phishing link, or a trojanized software installer (e.g., cracked utilities or fake captchas). Upon execution, the loader downloads an encrypted payload (often via HTTP GET requests to hardcoded IP addresses) and decrypts it in memory using a custom XOR-based algorithm before injecting it into a legitimate process (such as Regsvr32.exe or svchost.exe) using process hollowing or RunPE techniques. Its persistence mechanisms include adding a scheduled task or modifying the Run registry key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). For evasion, the loader checks for sandbox environments (e.g., presence of VMware tools, debuggers, or analysis tools) and employs API hashing to obfuscate Windows API calls. The command-and-control (C2) infrastructure relies on a panel hosted on compromised web servers or bulletproof hosting providers, using a simple JSON-based protocol over HTTP.

📜 History & Notable Incidents

BrushaLoader first appeared in the wild in early 2022, with a spike in activity observed by SEKOIA in November 2022; the loader has since been used in multiple campaigns targeting European and North American organizations. A notable incident involved the distribution of RedLine Stealer via BrushaLoader in a phishing campaign impersonating shipping companies (e.g., Maersk, FedEx) during Q1 2023. No specific CVEs are associated with BrushaLoader itself, but it has exploited known Office macro vulnerabilities (e.g., CVE-2017-0199 for embedded objects) and recent Excel CVE exploits (e.g., CVE-2023-21715) in spam campaigns. Law enforcement actions have not been publicly reported against the group behind BrushaLoader as of mid-2024.

🔍 Detection Indicators

Known file hashes for BrushaLoader samples include SHA256 0e4f5c6a7b8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f (example – actual hash available in SEKOIA report) and other variants that change per campaign. Behavioral indicators include the creation of scheduled tasks named with random alphanumeric strings (e.g., “UpdaterTask_{GUID}”), outbound HTTP traffic to IPs on non-standard ports (8080, 8443), and the dropping of a .tmp file in %TEMP% followed by process hollowing into Regsvr32.exe. Network IOCs include User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” (spoofed) or custom agents like “LoadClient/1.0”. Registry modification under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random value name is another key detection point.

☠️ Risk & Impact

The primary risk of BrushaLoader is its role as a gateway to more damaging malware. Infections can lead to data exfiltration (credentials, cryptocurrency wallets, sensitive documents) via delivered stealers, or to full system encryption when ransomware (e.g., BlackCat/ALPHV or LockBit) is deployed as a secondary payload. Industry sectors impacted include logistics, manufacturing, healthcare, and small-to-medium enterprises (SMEs), particularly via business email compromise (BEC) lures. Financial losses from BrushaLoader-led intrusions are difficult to quantify directly, but incident response firms have noted ransom demands averaging between $50,000 and $500,000 per victim.

🛡️ Mitigation

Mitigation against BrushaLoader involves disabling Office macros by default (Group Policy or GPO), enabling attack surface reduction (ASR) rules (e.g., blocking child processes from Office applications), deploying endpoint detection and response (EDR) solutions with behavioral signatures for process hollowing (e.g., Microsoft Defender for Endpoint rule ID !process hollowing), and maintaining up-to-date patches for Microsoft Office and browser vulnerabilities. Network-level blocks on outbound HTTP to known C2 IP address ranges from the SEKOIA IOCs feed are recommended, alongside user awareness training to spot malicious phishing lures with shipping-themed attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.