BRICKSTORM cyberespionage malware detected within network infrastructure

Google’s Threat Intelligence Group (GTIG) and Mandiant have released an analysis of the BRICKSTORM backdoor espionage malware, attributing it to the China-linked UNC5221 advanced persistent threat (APT) actors. Written in the Go language and active since March 2023, BRICKSTORM exhibits an exceptionally long dwell time in victim networks, averaging 393 days. This duration surpasses typical breach detection logging periods, with the malware sometimes featuring a delay timer that can extend for months before it activates and connects to a command and control (C2) server. The attackers specifically target network appliances, including firewalls, virtual private network concentrators, and virtualisation platforms like VMware vCenter. They also deploy additional malware, such as the BRICKSTEAL Java Servlet filter and SLAYSTYLE Java Server Pages (JSPs) web shells, to maintain stealthy access to virtualised environments.

The primary objective of BRICKSTORM is data exfiltration, utilising the SOCKS (Socket Secure) network protocol to bypass firewalls and access restrictions. This malware is particularly challenging to detect due to its use of obfuscation, single-use C2 domains, and integration with appliance workflows. Legal services, business process outsourcers (BPOs), and software-as-a-service (SaaS) providers are among the targeted sectors. While the UNC5221 APT may be linked to previous groups like Silk Typhoon or Hafnium, GTIG and Mandiant suggest that BRICKSTORM could represent a distinct APT based on its targeting patterns. To aid in detection, Mandiant has made a BRICKSTORM scanning Bash script available on GitHub, designed for Linux and BSD-based appliances and systems.