A dropper malware known as Brushaloader is becoming more popular and more of a concern. It is favored amongst hackers because it operates more quietly, a tactic increasingly being favored by attacker groups.
Despite security experts attempting to tackle the Brushloader tenacious loader, it is becoming more threatening. Since if was first described in June 2018, the malware has become more well-known in hacking communities. It is common and stealthy according to security firm Proofpoint.
In a blog on Monday, the company says hackers are embracing loader malware's such as Brushaloader. They favor this attack method because they can infect systems more quietly. Loader malware is also versatile, with bad actors able to attach different payloads.
Security researchers for Proofpoint say that while a loader malware is not as sophisticated or outright aggressive as other attacks, their stealth makes them a favorite amongst hackers.
“Malware like BrushaLoader contributes to the ongoing trend of ‘quality over quantity' infections — and enables threat actors to better stay under the radar than they can with highly disruptive infections like ransomware, or when distributing massive malicious spam campaigns with high-profile malware as their primary payload,” the company wrote.
Brushaloader was uncovered by Cisco Talos in 2018 and has retained its simplicity that allows it to be easily used for system attacks through spam campaigns. The malware attaches itself through malicious Microsoft Visual Basic Scripting Edition (VBScript) attachments.
One of the interesting things about the attack method is it requires users to make several interactions. This alone should mean Brushaloader is inefficient, but that's not the case. In fact, bad actors were able to infect over 4,000 computers in just 36 hours during one campaign.
“We have observed it in multiple geographies and a variety of campaigns. Moreover, insights from the command and control panel suggest high infection success rates for the loader, enabling deployment of a range of payloads by actors using the malware,” says the team.