Threat Research

BRICKSTORM_Backdoor

GoogleCloudIntel
BRICKSTORM_Backdoor

BRICKSTORM is a Go-based backdoor deployed by UNC5221-linked actors to persist on network and virtualization appliances (Linux/BSD and vCenter/ESXi), enabling long-term stealthy access, credential theft, VM cloning, and mailbox exfiltration. Mandiant and GTIG provide TTP-focused hunting guidance, YARA rules, example IOCs, and mitigations to detect and disrupt this activity. #BRICKSTORM #BRICKSTEAL

Keypoints

  • UNC5221-associated actors deploy BRICKSTORM to edge appliances and virtual infrastructure, enabling persistent stealthy access across diverse victim verticals in the U.S.
  • Average dwell time is approximately 393 days due to targeting devices that lack traditional EDR and use anti-forensic techniques and in-memory modifications.
  • BRICKSTORM provides SOCKS proxy functionality and has been observed on Linux and BSD appliances and used to pivot to VMware vCenter and ESXi systems.
  • Actors used in-memory Java Servlet filter dropper (BRICKSTEAL) and the SLAYSTYLE (BEEFLUSH) JSP web shell to capture credentials and maintain access to vCenter.
  • Threat actors cloned sensitive VMs (Domain Controllers, secret vaults) and mounted clones offline to extract credentials and sensitive files without triggering endpoint defenses.
  • Operators accessed Microsoft 365 mailboxes using Enterprise Application permissions (mail.read, full_access_as_app) and used commercial VPNs and obfuscation networks for egress.
  • Mandiant emphasizes TTP-based hunting (asset inventories for appliances, YARA scans of backups, network hunts for DoH/Cloudflare Workers/Heroku traffic, vCenter VPXD log review) over atomic IOCs.

MITRE Techniques

  • [T1133] External Remote Services – Used to access appliances and vCenter via SSH and web interfaces; example: “the actor used legitimate credentials to connect to the appliance, often with SSH.”
  • [T1210] Exploitation of Remote Services – At least one case where the actor gained access by exploiting a zero-day vulnerability: “…the actor gained access by exploiting a zero-day vulnerability.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Actor modified init.d, rc.local, or systemd files to ensure BRICKSTORM started on reboot: “the threat actor modified the init.d, rc.local, or systemd files to ensure BRICKSTORM started on appliance reboot.”
  • [T1071.001] Application Layer Protocol: Web Protocols – BRICKSTORM uses DoH and WebSocket/HTTPS for C2 and may use Cloudflare Workers/Heroku for C2: “BRICKSTORM can use DNS over HTTP (DoH)” and “samples using Cloudflare Workers and Heroku applications for C2.”
  • [T1105] Ingress Tool Transfer – Actors downloaded archived ISO images and pulled files via web interfaces and UNC paths, and used BRICKSTORM SOCKS proxy to tunnel to internal resources: “used the SOCKS proxy feature of BRICKSTORM to tunnel their workstation and directly access systems and web applications of interest.”
  • [T1003] OS Credential Dumping – Actors extracted credentials by cloning VMs and mounting clones offline to retrieve ntds.dit and other secret files: “clone of the virtual machine… mount the filesystem and extract files of interest, such as the Active Directory Domain Services database (ntds.dit).”
  • [T1531] Account Discovery / [T1087] Account Discovery – Creation and removal of local vCenter/ESXi accounts and use of local Administrator to install BRICKSTORM: “the threat actor created a new local account to install BRICKSTORM and then removed the account after they were done.”
  • [T1530] Data from Cloud Storage Objects (applied to M365) – Use of Microsoft Entra Enterprise Applications with mail.read or full_access_as_app to access mailboxes: “made use of Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes.”
  • [T1490] Inhibit System Recovery – Use of anti-forensics and deletion of BRICKSTORM from systems while remaining detectable only via backups: “BRICKSTORM samples deployed by the threat actor were removed from compromised systems… identified the BRICKSTORM malware in place” in backups.

Indicators of Compromise

  • [File Hash ] BRICKSTORM sample hashes – 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035, 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df (and other hashes listed in GTI).
  • [File Name ] observed malicious filenames – pg_update, spclisten, vmp used to masquerade as legitimate appliance components.
  • [Domains / Hosting ] C2 hosting patterns – Cloudflare Workers and Heroku apps used for C2; sslip.io and nip.io used to resolve C2 IPs (no domain reuse across victims).
  • [Logs / Events ] vCenter VPXD and VAMI audit events – cloning and account creation/deletion events (example log excerpts showing VirtualMachine.clone and local account creation/deletion timestamps).
  • [Network Indicators ] DoH and resolver IPs contacted – example resolvers referenced: 8.8.8.8, 8.8.4.4, 1.1.1.1, 9.9.9.9, 45.90.28.160 (seen in network detection rules).

Read more: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint