Google Threat Intelligence Group (GTIG) and cybersecurity firm Mandiant are warning about a highly evasive Chinese malware variant, BRICKSTORM, being leveraged in a sophisticated cyber espionage campaign by a potent state-sponsored threat group.
They observed the malware variant targeting critical sectors, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology.
BRICKSTORM Chinese malware expands cyber espionage to downstream customers
GTIG and Mandiant also assessed that the Chinese malware collects data for the development of zero-day vulnerabilities and targeting downstream customers. While the duo did not name the potential downstream victims, they could include government agencies and tech companies.
“By infiltrating tech security and legal services firms, the attackers don’t just get to access those environments, they gain pathways into their clients and partners, giving them a multiplier effect on reach. Some of those downstream systems may not even realize they’ve been compromised yet,” warned Ensar Seker, CISO at SOCRadar.
Google also observed the hackers accessing the emails of IT professionals, such as developers, system administrators and people of strategic interest to China.
GTIG and Mandiant researchers attributed the cyber espionage campaign to a Chinese advanced persistent threat actor, UNC5221, who is notorious for employing sophisticated tactics and exploiting zero-day vulnerabilities.
“While UNC5221 has been used synonymously with the actor publicly reported as Silk Typhoon, GTIG does not currently consider the two clusters to be the same,” GTIG explained.
BRICKSTORM malware leaves no trace
The attackers aim to maintain long-term stealthy persistence by targeting appliances that do not support traditional endpoint detection and response (EDR) tools, such as firewalls and VPNs.
“The motivation here is long-term, not opportunistic,” Seker continued. “Brickstorm’s operators are methodically exfiltrating intellectual property and internal designs, which gives them a unique insight into how to bypass defenses and identify zero-day opportunities.
Targeted appliances include VMware vCenter and ESXi hosts, with the threat actors sometimes targeting network devices before pivoting to VMware.
“In effect, they’re embedding themselves into the ecosystem, harvesting the same tools and knowledge base they hope to exploit later. That kind of foresight suggests a campaign designed not just for espionage, but for building capabilities that can support multiple future attacks,” noted Seker.
Meanwhile, the cyber espionage campaign has targeted Linux and BSD-based appliances from multiple manufacturers. The threat actor usually leverages known and exploited zero-day vulnerabilities to breach the perimeter before accessing the devices.
While cyber espionage campaign usually targets Linux and BSD-based systems, the Chinese malware is written in the cross-platform Go programming language, which easily implements the SOCKS protocol, essentially creating a client-server infrastructure that turns the infected device into a relay point for routing malicious traffic.
The attackers also use unique command-and-control (C2) servers for different victims to hide their activity. The servers are usually run through popular cloud platforms, such as Cloudflare and Heroku, or dynamic domains, like sslip[.]io, making it more difficult to block them.
Additionally, the threat actors use tactics that generate little to no security signals to traverse laterally and exfiltrate data. They sometimes include a hard-coded “delay timer” to ensure that the malware remains dormant on the victim’s environment until a specified date, which could be weeks or months away.
Newer BRICKSTORM variants also use code obfuscation by utilizing Garble and even custom libraries to hide function names and logic, suggesting that the Chinese malware is under active development.
The cyber espionage activity is designed to mimic legitimate system administrators’ actions, such as accessing highly privileged credentials, to cover the threat actor’s tracks.
Collectively, these tactics have enabled the Chinese malware to remain undetected on the victim’s environment for approximately 393 days on average. This dwell time usually exceeds the log retention period for most systems, thus allowing the threat actors to erase evidence of intrusion. It also exceeds the dwell time for most threat actors, which is usually a few days to several weeks.
“This Brickstorm campaign marks a striking evolution in adversary tradecraft,” added Seker. “What makes it ‘next level’ is not simply the long dwell times or precision targeting, though both are alarming, but rather the strategic layering of access, reconnaissance, and supply-chain influence.”
Meanwhile, GTIG has published a list of actionable steps that organizations should take to hunt for the elusive Chinese malware.
“We are sharing an updated threat actor lifecycle for BRICKSTORM associated intrusions, along with specific and actionable steps organizations should take to hunt for and protect themselves from this activity,” said GTIG.
The company also published a security tool that organizations can use to determine if the malware was deployed on their environments.
