Google’s Threat Intelligence Group (GTIG) and Mandiant have published an analysis of the BRICKSTORM backdoor espionage malware, which it attributes to the China linked UNC5221 advanced persistent threat (APT) actors.
Written in the Go language and active since March this year, BRICKSTORM has extremely long persistence, or dwell time, in victim networks, with an average of 393 days, GTIG-Mandiant wrote.
Such long periods of time exceed typical breach detection logging periods, with the malware in some cases having a delay timer for months before activating and connecting to a command and control (C2) server.
Attackers deliberately target network appliances such as firewalls, virtual private network concentrators and virtualisation platforms like VMware vCenter infrastructure with BRICKSTORM.
Web shells and additional malware can also be installed on vCenter servers, for further access to virtualised environments.
This includes malware such as the BRICKSTEAL Java Servlet filter, targeting vCenter authentication, and the SLAYSTYLE Java Server Pages (JSPs) web shells, the researchers said.
“These intrusions are conducted with a particular focus on maintaining long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” Google’s researchers said.
Detection of the malware is made difficult through the use of obfuscation, single-use C2 domains, and blending it in with appliance workflows.
Legal services, business process outsourcers (BPOs) and software-as-a-service (SaaS) providers are some of BRICKSTORM’s targets, the researchers said.
Data exfiltration is the main objective, tunnelling through the SOCKS (socket secure) network protocol that can bypass firewalls and other access restrictions, along with geopolitical espionage, access operations and intellectual property to enable exploit development.
Sensitive admin mailboxes are exfiltrated through SOCKS proxies on BRICKSTORM compromised systems.
The UNC5221 APT could be the same or connected to the Silk Typhoon or Hafnium group which has targeted supply chains in past attacks.
However, Google-Mandiant theorised that BRICKSTORM could be the work of a different APT, based on its targeting patterns.
Mandiant has published a BRICKSTORM scanning Bash script on the GitHub open source repository, that runs on Linux and BSD based appliances and systems.
Source link
