Google Cloud Blog
Follow
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Google Threat Intelligence Group is tracking extensive BRICKSTORM malware activity, used by suspected China-nexus threat clusters to maintain stealthy, long-term access to US organizations. These intrusions primarily target legal services, SaaS providers, BPOs, and technology companies, with a focus on network appliances. The attackers exploit zero-day vulnerabilities and deploy the Go-written BRICKSTORM backdoor, designed to bypass traditional EDR tools. This malware allows for inconspicuous lateral movement and data exfiltration, contributing to an average victim dwell time of 393 days. The threat actor lifecycle involves initial access through compromised perimeter infrastructure, followed by establishing a foothold by deploying BRICKSTORM on appliances, particularly VMware vCenter and ESXi hosts. They escalate privileges by installing malicious components like BRICKSTEAL, which can capture credentials, enabling them to clone critical virtual machines for data extraction. Lateral movement is achieved using legitimate credentials, often facilitated by enabling SSH on targeted appliances. Persistence is maintained by modifying startup scripts to ensure BRICKSTORM automatically launches on reboot. Their mission completion often involves accessing individual email mailboxes via Microsoft Entra ID Enterprise Applications and exfiltrating data using BRICKSTORM's SOCKS proxy functionality.