Suspected Chinese hackers have used the Brickstorm malware in long-term persistence espionage operations against U.S. organizations in the technology and legal sectors.
Brickstorm is a Go-based backdoor documented by Google in April 2024 following China-related intrusions that spawned from various edge devices and remained undetected in the victim environment for more than a year, on average.
The malware served as a web server, file manipulation tool, dropper, SOCKS relay, and shell command execution tool.
According to Google Threat Intelligence Group (GTIG), the attackers used Brickstorm to silently siphon data from their victims’ networks for an average dwell time of 393 days before being detected.
The researchers confirmed compromised organizations in the legal and technology sectors, software-as-a-service (SaaS) providers, and also Business Process Outsourcers (BPOs).
Google notes that compromising such entities could help a threat actor develop zero-day exploits and extend the attack to downstream victims, especially those not protected by endpoint detection and response (EDR) solutions.
The researchers attributed these attacks to the UNC5221 activity cluster, notorious for exploiting Ivanti zero-days to attack government agencies with custom malware like Spawnant and Zipline.
Brickstorm activity
Due to the long dwell time on victim systems and UNC5221’s use of anti-forensics scripts to obscure the entry path, GTIG coulld not confidently determine the initial access vector, but the researchers believe exploitation of zero-days in edge devices is involved.
Brickstorm is deployed on appliances that don’t support EDR, including VMware vCenter/ESXi endpoints, where it establishes communication with the command and control (C2) while masquerading the exchange as Cloudflare, Heroku, and other legitimate traffic.
... continue reading