The Cybersecurity and Infrastructure Security Agency (CISA) released an update to its BRICKSTORM Backdoor Malware Analysis Report (MAR) developed with the National Security Agency and Canadian Centre for Cyber Security. The update includes analysis and detection signatures for a new BRICKSTORM variant that uses .NET Native Ahead-of-Time (AOT) compilation—making it more versatile and harder to detect.
Like previous BRICKSTORM samples, the variant has initiation and secure command and control capabilities that use multiple layers of encryption to hide its communications, but unlike other samples, it does not have built-in self-monitoring capabilities to enable persistence. This update delves into the variant’s functionality and offers new YARA rules to support detection.
CISA urges all organizations who use VMware vSphere, especially those in the Government Services and Facilities and Information Technology sectors, to review the updated MAR and implement mitigation measures.
For those unfamiliar with the malware's background, BRICKSTORM is attributed to People’s Republic of China) state-sponsored cyber actors, who use the strain for long-term, persistent attacks on targeted victims primarily in the government and information technology sectors.
These groups have been observed targeting VMware vSphere platforms. Once compromised, the cyber actors can use their network access to steal cloned virtual machine (VM) snapshots for credential extraction and to create hidden, rogue VMs. The intrusions have also allowed for access to domain controllers and servers, exporting cryptographic keys.
To view the full report, click here.
