Google Warns of Brickstorm Backdoor Targeting U.S. Legal and Tech Sectors
Google's Threat Intelligence Group (GTIG) has issued a warning about the Brickstorm backdoor, a malicious Go-based malware that has been used to spy on U.S. tech and legal firms for over a year.
The Brickstorm backdoor was first detailed by Google in April 2024 and has since been employed in multiple attacks that have remained undetected for an average of more than a year. The malware targets organizations in the legal, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology firms.
Mandiant has linked the activity to China-nexus APT UNC5221, a group known for exploiting zero-days for espionage and broader access. The Brickstorm backdoor can act as a web server, manipulate the file system, upload/download files, execute shell commands, and perform SOCKS proxy relaying.
The malware relies on WebSockets for C2 communications and has been observed to use stealth tactics such as delayed beaconing, mimicking legitimate processes, and rotating C2 domains via Cloudflare, Heroku, and dynamic DNS. The researchers warn that the backdoor shows active development and obfuscation.
Attack Vector and Persistence
The attackers have been exploiting perimeter and remote access systems, sometimes by exploiting zero-day vulnerabilities. Evidence suggests that they focus on stealing high-privilege credentials to gain lateral movement to VMware vCenter/ESXi with stolen credentials.
The Brickstorm backdoor enables SOCKS proxy use and lateral movement to VMware vCenter/ESXi with stolen credentials. The attackers have also deployed a stealthy in-memory Java Servlet filter, tracked as BRICKSTEAL, on vCenter to intercept HTTP Basic authentication and steal high-privilege credentials.
Stealing Emails and Exfiltrating Data
The end goal of the attacks using Brickstorm is the exfiltration of emails via Entra ID apps, using a SOCKS proxy to reach internal systems. The threat actor's interest in the emails of key individuals within the victim organization is a common theme across investigations.
"In some cases, the threat actor targeted the mailboxes of developers and system administrators while in other cases, they targeted the mailboxes of individuals involved in matters that align with PRC economic and espionage interests," reads the report published by Google.
Removing Malware and Rotating C2 Domains
After operations, the attackers remove malware and rotate C2 domains and samples to block forensics. "Across BRICKSTORM investigations we have not observed the reuse of C2 domains or malware samples, which, coupled with high operational security, means these indicators quickly expire or are never observed at all," concludes the report.
Scanner Script for Detection
Mandiant has released a scanner script to allow organizations to hunt BRICKSTORM activity. This tool will help detect and mitigate the threat posed by this malicious backdoor.
Conclusion
The Brickstorm backdoor is a sophisticated malware that poses a significant threat to U.S. legal and tech sectors. Its stealthy tactics and active development make it a challenging adversary for organizations to detect and remove. It is essential for affected organizations to take immediate action to protect themselves from this threat.