Listen to this Post

Introduction:
The cybersecurity landscape has been shaken by Elastic Security Labs’ recent discovery of two sophisticated malware families, BRUSHWORM and BRUSHLOGGER, which leverage modern programming languages and stealthy persistence mechanisms to evade traditional defenses. These tools represent a significant evolution in adversary tradecraft, utilizing Rust for cross-platform resilience and implementing advanced logging and data exfiltration techniques that challenge conventional detection strategies. This article dissects the technical underpinnings of these threats, providing actionable insights for defenders to identify, analyze, and mitigate such advanced persistent threats (APTs) in their environments.
Learning Objectives:
- Understand the core functionality and operational differences between BRUSHWORM and BRUSHLOGGER.
- Identify key indicators of compromise (IoCs) and detection strategies using EDR, Sysmon, and network telemetry.
- Learn step-by-step methods to simulate, detect, and harden systems against Rust-based malware employing encrypted payloads and persistence.
You Should Know:
- Technical Deep-Dive: BRUSHWORM’s Lateral Movement and BRUSHLOGGER’s Keylogging Capabilities
BRUSHWORM is designed as a modular dropper and lateral movement tool, often deployed as a first-stage payload to establish a foothold and propagate across a network. It leverages the Rust programming language to compile to both Windows and Linux binaries, making it highly adaptable. BRUSHWORM’s primary function is to drop and execute secondary payloads, such as BRUSHLOGGER, which specializes in capturing keystrokes and clipboard data with high granularity. Unlike traditional keyloggers that rely on simple WinAPI hooks, BRUSHLOGGER employs event-driven logging via the `SetWindowsHookEx` function on Windows and `evdev` on Linux, capturing input even from virtualized environments. The communication between these tools is often encrypted using ChaCha20 or AES-256-GCM, with keys hardcoded or derived from system identifiers to frustrate static analysis.
To analyze BRUSHWORM’s behavior, a malware analyst can use dynamic analysis in a sandbox. Commands to monitor process creation on Windows include:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like "brushworm"} | Format-List
On Linux, process monitoring can be performed with:
auditctl -a always,exit -F arch=b64 -S execve -k brushworm_monitor ausearch -k brushworm_monitor
- Persistence Mechanisms: WMI Event Subscriptions and Systemd Services
Both BRUSHWORM and BRUSHLOGGER employ stealthy persistence techniques that bypass traditional autorun checks. On Windows, BRUSHWORM creates WMI Event Subscriptions to execute its payload at system startup or upon user logon without writing to the Run registry key. This can be detected by querying active WMI filters:
Get-WMIObject -Namespace root\subscription -Class __EventFilter Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer
On Linux, BRUSHLOGGER installs itself as a systemd service with a randomized name, often masquerading as a legitimate system daemon. To list suspicious services:
systemctl list-units --type=service --all | grep -E "(brush|worm|logger)" systemctl cat [suspicious-service-name]
Defenders should implement continuous monitoring of these persistence vectors using tools like Osquery or custom SIEM rules that alert on new WMI filters or systemd service creations.
3. Network Communication and C2 Infrastructure Analysis
The malware families utilize encrypted C2 channels over HTTPS with certificate pinning to prevent man-in-the-middle inspection. BRUSHWORM typically communicates via WebSocket connections to cloud-hosted infrastructure, often using services like Cloudflare to mask the origin. Network traffic analysis should focus on anomalous outbound connections to domains with high entropy or newly registered. To simulate detection, security teams can use `tshark` to capture and filter traffic:
tshark -i eth0 -Y "tls.handshake.extensions_server_name and ip.dst != <trusted_ips>" -T fields -e tls.handshake.extensions_server_name
For Windows environments, PowerShell can be used to enumerate active network connections:
Get-NetTCPConnection | Where-Object {$<em>.State -eq 'Established' -and $</em>.RemotePort -eq 443} | Select-Object LocalAddress, RemoteAddress, OwningProcess
Investigating these connections often reveals processes with mismatched hashes or unsigned binaries.
- Evasion Techniques: Rust’s Memory Safety and Anti-Analysis Checks
One of the most notable aspects of BRUSHWORM is its use of Rust, which inherently reduces memory corruption vulnerabilities but complicates signature-based detection due to the unique binary structures generated by the Rust compiler. The malware also employs anti-analysis checks, including debugger detection via `IsDebuggerPresent` and `NtQueryInformationProcess` on Windows, and `ptrace` checks on Linux. To bypass these during analysis, use a kernel-mode debugger or modify the binary’s control flow. For instance, to disable `ptrace` checks in a Linux sandbox:
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
On Windows, using a tool like x64dbg with the ScyllaHide plugin can evade user-mode anti-debugging techniques. Analysts should also be aware that Rust binaries often have large sections of obfuscated strings, requiring dynamic unpacking to reveal IoCs.
5. Detection Engineering: Sigma Rules and YARA Signatures
Creating effective detection rules for Rust-based malware requires focusing on unique API call sequences and behavioral patterns rather than static strings. A Sigma rule for detecting BRUSHLOGGER’s keylogging activity might target the combination of `SetWindowsHookEx` and `GetAsyncKeyState` in the same process tree. An example YARA rule snippet to detect common Rust runtime artifacts includes:
rule Rust_Malware_Strings {
meta:
description = "Detects common Rust runtime strings in malware"
strings:
$rust_panic = "panicked at"
$rust_alloc = "alloc::"
$rust_core = "core::"
condition:
any of them
}
Additionally, EDR solutions should be configured to alert on processes that load `win32u.dll` and `user32.dll` unexpectedly, as keyloggers often require these.
- Mitigation and Hardening: Application Control and Privilege Management
Preventing initial execution of BRUSHWORM often relies on robust application whitelisting. On Windows, AppLocker or Windows Defender Application Control (WDAC) can be configured to block unsigned binaries from running in user directories. A PowerShell command to generate a WDAC policy blocking execution from `%APPDATA%` is:
New-CIPolicy -Level Publisher -FilePath C:\WDAC\Policy.xml ConvertFrom-CIPolicy -XmlFilePath C:\WDAC\Policy.xml -BinaryFilePath C:\WDAC\Policy.bin
On Linux, using `apparmor` or `selinux` to confine processes and restrict execution from `~/` directories can contain the threat. Additionally, enforcing least privilege by removing local admin rights limits the malware’s ability to install persistence and escalate privileges.
7. Incident Response: Containment and Remediation Steps
If BRUSHWORM or BRUSHLOGGER is detected, immediate containment involves isolating affected hosts from the network. On Windows, using `netsh` to block outbound traffic from the compromised process:
netsh advfirewall firewall add rule name="Block_Malware" dir=out action=block program="C:\path\to\malware.exe"
For Linux, `iptables` can be used:
iptables -A OUTPUT -m owner --uid-owner <malware_uid> -j DROP
Post-containment, collect forensic artifacts including memory dumps using `winpmem` on Windows or `lime` on Linux. Network logs should be reviewed to identify other potentially compromised hosts, and all persistence mechanisms must be removed manually or via automated response playbooks.
What Undercode Say:
- The adoption of Rust by threat actors marks a paradigm shift, demanding that defenders update their analysis toolchains to handle non-traditional binary structures.
- WMI and systemd persistence mechanisms continue to be under-monitored in many organizations, representing a critical detection gap.
- Behavioral detection, rather than static signatures, is essential for identifying these advanced threats, emphasizing the need for robust EDR and SIEM correlation.
Prediction:
The discovery of BRUSHWORM and BRUSHLOGGER signals a broader trend where malware authors will increasingly leverage modern, memory-safe languages to complicate reverse engineering and evade legacy security controls. As Rust-based malware becomes more prevalent, we can expect to see an arms race in detection methodologies, with security vendors developing specialized parsers for Rust binaries and defenders investing more heavily in behavioral analytics and deception technologies to catch these threats in their early stages. Organizations that fail to adapt their detection and response strategies to this new class of threats will face significant exposure to stealthy, long-term compromises.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


