BrushaLoader still sweeping up victims one year later | Proofpoint US
By July 22, 2019 Kafeine and the Proofpoint Threat Insight Team
Published: 2019-07-22 · Archived: 2026-04-05 14:38:52 UTC
Overview
BrushaLoader is one of a growing group of downloaders frequently employed by threat actors to profile infected PCs
and then load more robust payloads on devices of interest. Malware like BrushaLoader contributes to the ongoing trend
of “quality over quantity” infections and enables threat actors to better stay under the radar than they can with highly
disruptive infections like ransomware or when distributing massive malicious spam campaigns with high-profile
malware as their primary payload. At the same time, these loaders can also deliver those same disruptive infections if
threat actors choose to load ransomware as secondary payloads, a scenario we have observed on multiple occasions
recently.
BrushaLoader itself first appeared in June 2018 [1]. Now, just over a year later, we have observed the loader in a
number of campaigns by prominent threat actors. We derived the name for this VisualBasic/JavaScript/PowerShell
loader from the “Rusha” author of the command and control (C&C) panel.
Figure 1: BrushaLoader C&C panel: "Copyright" section
Analysis
Immediately after executing, BrushaLoader receives a PowerShell script called "PowerEnum" [5] (Figure 2).
Figure 2: HTTP portion of BrushaLoader delivery and post-infection activity (PowerEnum activity is not illustrated
here); captured February 7, 2019
PowerEnum performs extensive fingerprinting on infected devices and sends the data back to the C&C. This
communication occurs over a raw TCP "parallel" channel to BrushaLoader. PowerEnum is also used to send tasks,
which were originally stored on Dropbox [2][3], and more recently were hosted on Google Drive [4].PowerEnum is
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 1 of 11

integral to BrushaLoader and shares the same C&C infrastructure. Interestingly, we also observed PowerEnum as a
Fallout EK payload delivering Danabot Affid "4" (Figure 3)
Figure 3: Fallout EK dropping PowerEnum, which has been observed instructing the download of Danabot Affid 4 and
a BackConnect Socks.dll
Payloads
BrushaLoader is strongly connected to the Danabot banking Trojan Affid "3". However, this connection is not
exclusive as we have observed it in conjunction with other malware as well (Figure 4).
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 2 of 11

https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 3 of 11

Figure 4: A selection of documented campaigns involving BrushaLoader over the last year
Figure 4 illustrates a number of noteworthy events:
Unusual Payload:
Ursnif in Italy
Gootkit in Canada
Nymaim in Poland
Unusual Spreading:
TA544 [6], also known as Narwhal Spider [7] on May 14, 2019, in a T-Mobile-themed campaign
The C&C panel
Early in its distribution, we observed the BrushaLoader C&C panel and were surprised by the success of a “basic”
campaign using compressed-VBS attachments. Despite requiring several user interactions, the actors were able to
ensnare more than 4,000 computers in 36 hours (Figures 5 and 6).
Figure 5: BrushaLoader C&C panel - Victims a few hours after the beginning of a July 5, 2018 malicious spam
campaign
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 4 of 11

Figure 6: BrushaLoader C&C panel - Victims approximately 24 hours after the beginning of a July 5, 2018 campaign
(captured July 6, 2018)
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 5 of 11

Figure 7: BrushaLoader C&C panel - Victims approximately 36 hours after the beginning of a July 5, 2018 campaign
(captured July 9, 2018)
Figure 8: BrushaLoader C&C panel - Commands/Tasks
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 6 of 11

Figure 9: BrushaLoader C&C panel - Home
Figure 10:  BrushaLoader C&C panel - The Google Drive link is the payload sent via raw TCP after PowerEnum
fingerprinting
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 7 of 11

Figure 11:  BrushaLoader C&C panel - jSloader configuration
Conclusion
Though one of many downloaders in regular use, BrushaLoader has emerged in connection with numerous secondary
payloads such as DanaBot and prolific actors including TA544. We have observed it in multiple geographies and a
variety of campaigns. Moreover, insights from the command and control panel suggest high infection success rates for
the loader, enabling deployment of a range of payloads by actors using the malware. While loaders fail to garner
headlines like high-profile ransomware attacks, they have emerged as a key element of many threat actors’ toolkits. We
will continue to monitor trends around this malware family and BrushaLoader in particular.
Acknowledgement
We would like to thank @Racco42 for his multiple inputs in our tracking in the past year.
References
[1] https://4programmers.net/Forum/Off-Topic/310825-vbs_wirus_analiza?p=1490086
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 8 of 11

[2] https://urlhaus.abuse.ch/url/85687/
[3] https://urlhaus.abuse.ch/url/74920/
[4] https://urlhaus.abuse.ch/url/154856/
[5] https://urlhaus.abuse.ch/browse.php?search=chkesosod
[6] https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0
[7] https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/
[8] https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html
Indicators of Compromise (IOCs)
IOC IOC Type Description Date
eb12ece1bb8ebaf888282db3c6c852f3e21397d60b45a694c424690b2d6fe838 sha256
Ursnif
dropped by
BrushaLoader
2018-
08-21
bf70c2a22bfb0cc952b29689394e623b632f1c3371f2a6864fd26514639393aa sha256
Canada
focused
Gootkit
dropped by
BrushaLoader
2018-
08-02
a3f00f3b77faed13f24c8d572fe59ac38a2467449a60a1b9dc1c64baeb145b0a sha256 PowerEnum
2019-
03-08
04869bef3007a33e8bf9b14bd650e2b872daa6d2bb2b5ea35d4cb271f35d49e2 sha256 PowerEnum
2019-
06-19
d994f65735bb53dda95f7ab097e59bbd2043f8091d246bc4e21ba55ba6bda764 sha256
Poland
focused
Nymaim
dropped by
BrushaLoader
2018-
12-27
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 9 of 11

a1a6886f86ac1080d2fc3d645a8a1223209bfb1e91918d90a99b06d559ccb010 sha256
aced-VBS
spread by
TA544
2019-
05-14
fees.tetofevent[.]online|210.16.101[.]169 domain|IP
GidensTDS
leading after
filtering to
BrushaLoader
download
2019-
02-07
analiticap[.]info|185.203.117.63  domain|IP
PowerEnum
(dropped by
Fallout) C&C
2019-
06-06
https[:]//drive.google[.]com:443/uc?id=14ok5q46YDL8wL1HLmQyuWi0n-xRgtHxq&export=download
URL
PowerEnum
Task
(Danabot
Affid 4)
2019-
06-06
ET and ETPRO Suricata/Snort Signatures
2832054 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OSVersion.Version)
2832055 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (GetCurrent User)
2832053 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject)
2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)
2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)
2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)
2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)
2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)
2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)
2833478 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_VideoController)
2832054 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OSVersion.Version)
2832055 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (GetCurrent User)
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 10 of 11

2832053 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32 Get-WmiObject)
2833475 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_ComputerSystem)
2833477 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (System Language)
2833476 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (OS Install Date)
2833478 || ETPRO INFO Possible System Enumeration via PowerShell over TCP (Win32_VideoController)
2833472 || ETPRO CURRENT_EVENTS PowerShell Downloader Saving Payload to AppData Inbound Over Raw
TCP
2834482 || ETPRO TROJAN PowerEnum Sending Base64 Payload Part 1
2834483 || ETPRO TROJAN PowerEnum Sending Base64 Payload Part 2
2833473 || ETPRO CURRENT_EVENTS PowerShell Loader with Wide Base64 Encoded Stage 2 Inbound Over Raw
TCP
Source: https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
Page 11 of 11