NVISO, a Brussels-based security firm, has found a Windows variant of the BRICKSTORM malware. This backdoor is linked to the Chinese group UNC5221.
Through forensic research, NVISO discovered that the backdoor has been used since at least 2022 in an active espionage campaign aimed at European industries. The malware is designed to remain undetected for a long time and to steal industrial secrets.
In contrast to the more common extortion attacks, Chinese intrusions are characterized by a high degree of discretion, which means they often go undetected for a long time. BRICKSTORM is exactly the kind of silent backdoor that NVISO has now analyzed.
Advanced techniques
NVISO’s analysis shows that BRICKSTORM is used in both Windows and Linux environments. This was previously unknown. Previous Mandiant analyses had only identified the Linux variant. The backdoor uses multiple mechanisms to avoid detection, including abusing legitimate cloud services and the repeated encryption of network communication.
“The two newly identified BRICKSTORM executables provide attackers with file manager and network tunneling capabilities. Through these backdoors, adversaries can browse the file system, create/delete arbitrary files and folders as well as tunnel network connections for lateral movement”, according to NVISO. “The BRICKSTORM family resolves its Command & Control servers through DoH (DNS over HTTPS), hindering most network monitoring solutions.”
The two Windows samples the Belgian company analyzed were written in Go 1.13.5 (released in 2019) and did not export any functions. The attackers relied on mechanisms such as scheduling tasks for execution.
Tip: Website of Belgian government organization leaked addresses for twelve years