Day 21 of 100 in the 100 Days of Cyber Challenge
Agencies from the U.S. (NSA, CISA) and the Canadian Centre for Cyber Security (CCCS) have released a malware analysis report providing indicators of compromise and detection signatures of the BRICKSTORM backdoor malware. The government and IT sectors are believed to be the main targets of the malware.
BRICKSTORM is a backdoor that runs in VMWare and Windows environments attributed to attackers from the People’s Republic of China (PRC). According to CrowdStrike, which refers to the attack group as WARP PANDA, BRICKSTORM shows a high degree of sophistication in its stealth and persistence.
It is written in Golang and impersonates various VMWare processes. Reconnaissance and exfiltration are among its noted activities. In addition to compromising VMWare environments, BRICKSTORM is also known for attacking cloud environments.
The best analogy I can come up with for those who may not be familiar with VMWare is this: imagine you are using VirtualBox and have setup several snapshots, maybe a few Windows 11 and some Ubuntu VMs for example. Now imaging those snapshots getting compromised by a hacker and stolen as well as some hidden snapshots being added to the environment unbeknownst to you. Pretty scary.
Some of the recommendations given by CrowdStrike include: identifying unauthorized VMs, seeking possible connections indicating command-and-control (C2) activity, and tightening down ESXi settings.
All the links below are recommended reading. They include detection and mitigation steps as well as in-depth technical analysis of BRICKSTORM.
Stay vigilant!
CISA document regarding BRICKSTORM
CISA Analysis on BRICKSTORM along with download link of relevant documents