The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed technical details about a backdoor named BRICKSTORM, which is being utilized by threat actors sponsored by the People’s Republic of China (PRC) to maintain covert, long-term persistence within compromised systems. CISA described BRICKSTORM as a sophisticated implant designed to operate in VMware vSphere and Windows environments. This tool provides the attackers with persistent and stealthy access, facilitating initiation, survival on the system, and secure command-and-control capabilities, which is crucial for continued malicious operations.
The custom-made implant is developed using the Golang programming language and essentially equips the cyber threat actors with full interactive shell access on the victim system. Once deployed, the bad actors can perform various file operations, including browsing the directory structure, uploading, downloading, creating, deleting, and manipulating files. This level of access transforms a compromised system into a controllable staging ground for further activities, enabling deep infiltration and data exfiltration.
The malware has primarily been deployed in attacks targeting government and information technology (IT) sectors. For its command-and-control (C2) communication, it supports a variety of protocols such as HTTPS, WebSockets, and nested Transport Layer Security (TLS). A key feature is its use of DNS-over-HTTPS (DoH), which helps conceal C2 communications by making the traffic blend in with normal network activity. Additionally, BRICKSTORM can function as a SOCKS proxy, a feature that significantly aids the actors in performing lateral movement throughout the victim’s network.
BRICKSTORM was first publicly documented by Google Mandiant in 2024 after its discovery in attacks exploiting zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been linked to two specific groups: the established cluster UNC5221 and a newer China-nexus adversary that CrowdStrike tracks as Warp Panda. Earlier activity, observed in September, indicated that these groups were targeting various U.S. sectors, including legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and other technology companies to deploy this malware.
A critical design feature, according to CISA, is the malware’s self-monitoring function. This capability allows BRICKSTORM to automatically reinstall or restart itself if its operation is interrupted or disrupted. This feature ensures its continued persistence and high operational availability, making it difficult for defenders to remove the malware entirely from the compromised environment. The entire pattern of activity represents an evolving tactical approach by Chinese hacking groups, which are increasingly focusing on breaching edge network devices to gain initial access to networks and cloud infrastructures.
Reference:
