Google: BrickStorm Malware Stole U.S. Data for a Year
▼ Summary
– Suspected Chinese hackers used Brickstorm malware in long-term espionage against U.S. technology and legal sector organizations.
– Brickstorm is a versatile Go-based backdoor that acts as a web server, file manipulation tool, and command execution tool.
– The attackers maintained access for an average of 393 days to silently steal data before detection.
– The malware targets systems like VMware that lack endpoint detection, using stolen credentials for lateral movement and persistence.
– The operation is attributed to UNC5221, which uses anti-forensics techniques and removes malware to hinder investigations.
A sophisticated cyber espionage campaign employing BrickStorm malware successfully exfiltrated sensitive information from American companies for over a year before detection. According to findings from Google’s Threat Intelligence Group, this long-running operation specifically targeted organizations within the technology and legal sectors, along with SaaS providers and Business Process Outsourcers. The attackers, believed to be based in China, maintained access to victim networks for an average of 393 days, using the compromised entities as a springboard to potentially develop zero-day exploits and attack downstream victims lacking robust security measures.
The malicious activity has been attributed to a known threat cluster called UNC5221, a group infamous for previously exploiting Ivanti zero-day vulnerabilities. The BrickStorm backdoor, written in the Go programming language, is a multi-functional tool that acts as a web server, file manipulation utility, and a dropper for other payloads. It also provides SOCKS proxy capabilities and enables the execution of shell commands, making it exceptionally versatile for covert operations. Its deployment typically occurs on edge devices and appliances, such as VMware vCenter/ESXi servers, which often do not support Endpoint Detection and Response (EDR) solutions, allowing the malware to operate undetected.
Establishing initial access remains somewhat unclear due to the attackers’ extensive use of anti-forensics techniques designed to hide their entry point. However, researchers strongly suspect the exploitation of zero-day vulnerabilities in internet-facing systems. Once inside, the malware cleverly disguises its communication with command-and-control servers as legitimate traffic from services like Cloudflare or Heroku. The attackers then work to escalate privileges, often using a malicious Java Servlet Filter known as Bricksteal to harvest credentials from vCenter environments. They have also been observed cloning Windows Server virtual machines to extract additional secrets.
The primary goal of the BrickStorm operation is the systematic exfiltration of data, with a particular focus on emails accessed through Microsoft Entra ID Enterprise Apps. Using its built-in SOCKS proxy, the malware tunnels into internal corporate systems and code repositories, demonstrating a clear intent to target developers, administrators, and assets related to China’s strategic economic and security interests. To maintain stealth, the threat actors meticulously avoid reusing infrastructure; each operation employs unique C2 domains and malware samples. Upon completing their objectives, they remove the malware to complicate forensic investigations.
In response to this advanced threat, Mandiant has released a free scanner script to help organizations detect potential compromises. This tool replicates a YARA rule designed to identify BrickStorm on Linux and BSD appliances and includes additional rules for related malware like Bricksteal and Slaystyle. It is important to note that this scanner has limitations; it cannot guarantee the detection of all malware variants, does not search for persistence mechanisms, and will not alert administrators to vulnerable devices on their network.
(Source: Bleeping Computer)
