Threat Database Trojans Brushaloader


By GoldSparrow in Trojans

Brushaloader is a malware dropper, a threatening program designed to deliver a Trojan or other malware to the victim's computer. PC security researchers have been studying Brushaloader since June 2018. Brushaloader has various advanced features that allow it to evade detection. Some of these features include the ability to obfuscate URLs, support for HTTPS, and techniques that allow Brushaloader to evade debug, sandbox and virtual environments. The Brushaloader attacks abuse file hosting platforms that are generally considered safe, making Brushaloader more threatening than the typical Trojan downloader.

Corrupted PDF Files and RAR Archives Deliver Brushaloader to Vulnerable PCs

Brushaloader attacks seem to be targeting computer users in Poland and Polish speakers. The Brushaloader Trojan's initial distribution targeted Poland. However, due to the high level of the attack and the way Brushaloader can evade detection and removal, it is likely that Brushaloader attacks will expand to additional targets beyond this specific country. The victims will become infected with Brushaloader mainly through corrupted PDF files and RAR archives, which will be typically delivered using some social engineering technique to trick the computer users into opening them. Once they have been delivered, they will use a damaged Visual Basic Script that connects to a Command and Control server and downloads and installs malware onto the victim's computer. Brushaloader would use an IP address that is coded into Brushaloader itself in most cases. Brushaloader runs an invisible version of the victim's Web browser to connect to its Command and Control servers and download malware. Brushaloader also will relay information about the infected computer to its Command and Control server. Brushaloader will report many aspects of the infected computer to its controller, which may include the following:

  • Available memory.
  • CPU model.
  • Currently active username.
  • Display adapter model.
  • IP address.
  • Installed AV product.
  • PowerShell version.
  • System installation date.
  • System model and manufacturer.
  • Windows version.

How Brushaloader Infects a Computer

Brushaloader executes commands using a manipulated executable file, although newer versions of Brushaloader use the Windows PowerShell to carry out their attack to leave fewer traces on the infected device. Malware researchers have noticed other progress in the Brushaloader's code since they first started studying it, including the fact that the file size of Brushaloader has shrunk, from 4 KB to 1 KB since it was first released. Brushaloader attacks are distributed through numerous URLs. Many of these URLs may be legitimate domains that have been compromised by criminals and hijacked to distribute malware. Some of these bURLs are hosted on legitimate file hosting services such as Dropbox. The following are some of the many URLs that have been linked to different instances of the Brushaloader attack:


The main way in which the Brushaloader attack begins is typically with a questionable email message containing a supposed voice or invoice in the form of a PDF or RAR file. This is the social engineering aspect of Brushaloader which, presently, targets computer users in Polish speaking regions.

Protecting Your Computer from Threats Like Brushaloader

The best way to prevent Brushaloader attacks is to be aware of common social engineering tactics, particularly those that are distributed via email and respond to them appropriately. It is imperative that computer users exercise caution when handling any unsolicited email messages containing embedded links or attached files particularly. Computer users should have a reliable security program that is fully up-to-date and capable of removing and intercepting these attacks to prevent Brushaloader and similar threats from being installed on their computers.


Most Viewed