Introduction
BRICKSTORM [1] [2] [3] [4] [5] [7] [8] [9] [10] [11], a sophisticated cyber espionage tool associated with the China-aligned threat group UNC5221, has been actively targeting European strategic industries since late 2022. This malware operates across both Windows and Linux environments, marking a significant evolution in its deployment strategy. Initially focused on Linux vCenter servers [6], BRICKSTORM has expanded to include Windows executables with enhanced detection evasion and covert management capabilities [6], designed for long-term infiltration and industrial espionage.
Description
A sophisticated cyber espionage tool known as BRICKSTORM [3], linked to the China-aligned threat group UNC5221 [5] [10], has been actively targeting European strategic industries through both Windows and Linux environments since at least late 2022. This marks a significant evolution in the malware’s deployment, as it has transitioned from its initial focus on Linux vCenter servers to include Windows executables with enhanced detection evasion and covert management capabilities. BRICKSTORM is designed for long-term infiltration [8], allowing attackers to remain undetected while stealing industrial secrets. It engages in various malicious activities, including file theft and providing full remote access [4].
The Windows variants of BRICKSTORM [1] [8] [9], developed in Go [1] [6] [9] [10], operate as binaries without direct command execution functions and utilize a traffic tunneling module that avoids creating detectable parent-child process relationships. These variants feature a JSON-based HTTP API for file management tasks, enabling attackers to browse the file system [1], create or delete files and directories, and perform uploads, downloads [6] [8], and modifications [8]. The tunneling module supports TCP [6] [8] [11], UDP [6] [8] [9] [10] [11], and ICMP protocols [6] [9], facilitating deeper infiltration into the victim’s infrastructure [6]. Recent updates have introduced hardcoded IP addresses, allowing operation in environments with DNS-over-HTTPS (DoH) restrictions, while earlier versions relied on DNS queries embedded in HTTPS POST operations through services like Quad9 and Cloudflare.
BRICKSTORM employs sophisticated command-and-control (C2) mechanisms, utilizing DNS over HTTPS (DoH) for domain resolution [10], which helps bypass DNS monitoring [10]. The malware establishes a nested TLS framework for secure communications, ensuring that even if outer layers are inspected [8], the innermost TLS-encrypted traffic remains opaque [8]. This three-layered TLS tunnel consists of HTTPS to the reverse proxy, a nested TLS session within a WebSocket [10], and a third TLS session for command issuance [10]. The use of Yamux multiplexing allows for multiple simultaneous C2 sessions [10], facilitating parallel management of file transfers and tunneling operations [10]. Analysts have noted leaks of IP addresses from BRICKSTORM’s intermediate infrastructure during technical operations [6], including instances hosted on platforms like Vultr behind cloud frontends.
To maintain persistence [8], BRICKSTORM implements scheduled tasks and rotates IP addresses, effectively circumventing standard security measures such as DNS monitoring and geo-blocking [3]. Observations indicate that the malware’s C2 configurations predominantly utilize legitimate cloud services, including serverless providers like Cloudflare and Heroku [3], which obfuscate its infrastructure due to the shared nature of these providers’ IP addresses [3]. The malware also exploits certificate transparency loopholes [8], with domains utilizing Cloudflare’s wildcard certificates.
Detection of BRICKSTORM’s Windows backdoor executables can be achieved through YARA rules that identify specific strings and conditions. Additionally, Suricata rules can alert on traffic directed to domains associated with BRICKSTORM’s command-and-control servers [2]. KQL hunting rules are effective in identifying rare long-running unsigned processes and those interacting with Cloudflare IP ranges.
Despite its relatively basic functionalities [3], BRICKSTORM has proven effective and is designed to remain undetected for extended periods. Organizations are advised to monitor for artifacts associated with BRICKSTORM intrusions and implement layered defenses to counter its evasion tactics [8]. Continuous monitoring of network appliances and serverless cloud traffic is essential [8], as BRICKSTORM exploits these for long-term intrusion [8]. This evolution in tactics underscores the necessity for industries at risk to enhance their security measures and conduct regular audits for unusual activities [3], particularly given the implementation of repeated nested encryption for network communications, which further complicates detection efforts. Collaborative defenses and real-time intelligence sharing are critical to mitigating such advanced threats [8].
Conclusion
BRICKSTORM represents a significant threat to European strategic industries, with its advanced capabilities for evasion and long-term infiltration. The malware’s evolution to include Windows environments and its sophisticated command-and-control mechanisms highlight the need for robust cybersecurity measures. Organizations must prioritize monitoring and detection strategies, leveraging tools like YARA and Suricata rules, to identify and mitigate BRICKSTORM intrusions. The ongoing adaptation of BRICKSTORM underscores the importance of continuous vigilance, collaborative defenses [8], and real-time intelligence sharing to protect against such advanced cyber threats.
References
[1] https://www.techzine.eu/news/security/130580/belgian-security-experts-find-chinese-espionage-malware-on-windows/
[2] https://www.hendryadrian.com/brickstorm-backdoor-evolves-to-target-windows-in-espionage-campaigns-against-european-sectors/
[3] https://www.infosecurity-magazine.com/news/china-hackers-brickstorm-backdoor/
[4] https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
[5] https://blackboxsecurity.org/news/chinese-hackers-deploy-new-brickstorm-malware-targeting-both-windows-and-linux-systems/
[6] https://www.altusintel.com/public-yychr7/
[7] https://www.techzine.nl/nieuws/security/564172/belgische-securityexperts-vinden-chinese-spionagemalware-op-windows/
[8] https://gbhackers.com/chinese-hackers-unleash-new-brickstorm-malware/
[9] https://www.security.land/brickstorm-malware-evolves-deploying-triple-layer-encryption-to-bypass-enterprise-security/
[10] https://securityonline.info/brickstorm-backdoor-targets-european-industries/
[11] https://cyberpress.org/chinese-hackers-deploy-brickstorm-malware/
