Código HTML do Conteúdo
Post: Chinese Hackers Use ‘BRICKSTORM’ Backdoor to Breach US Firms
<div data-edit-folder-name="text" data-index="2" data-layout-id="2" id="layout-fa5b557f-c0f9-4472-844c-81756b3c1066">
<p>The GITG researchers argued that the motivation of these attacks “extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.”</p>
<p>In many occurrences, the threat actors were particularly interested in the emails of key individuals within the victim organizations and sometimes exfiltrated files from these emails.</p>
<p>Google has attributed these campaigns to <a href="https://www.infosecurity-magazine.com/news/chinese-state-hackers-ivanti-flaw/" target="_blank">UNC5221</a>, a Chinese-aligned threat cluster linked to sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances.</p>
<p>While other security vendors consider UNC5221 and <a href="https://www.infosecurity-magazine.com/news/silk-typhoon-exploits-common/" target="_blank">Silk Typhoon</a> to be the same group, GTIG currently tracks them as two distinct entities.</p>
<h2><strong>Sophisticated Campaigns Against US Organizations</strong></h2>
<p>The Google report noted that the GTIG investigation into the BRICKSTORM campaigns had been made particularly difficult because of the threat actors’ speed in deploying the full attack chain.</p>
<p>“In many cases, the average dwell time of 393 days exceeded log retention periods and the artifacts of the initial intrusion were no longer available,” the researchers wrote.</p>
<p>Nevertheless, they found that UNC5221 used a range of sophisticated techniques to maintain persistence and minimize the visibility traditional security tools have into their activities.</p>
<p>These include:</p>
<ol>
<li><strong>Initial access:</strong> exploiting zero-day vulnerabilities</li>
<li><strong>Establishing foothold:</strong> BRICKSTORM deployment on appliances that do not support traditional endpoint detection and response (EDR) tools (e.g. VMware vCenter and ESXi hosts)</li>
<li><strong>Escalating privilege:</strong> In-memory Servlet filter injection, credential harvesting via HTTP basic auth, bypassing MFA protections, VM cloning of critical servers, targeting Delinea Secret Server, execution of automated secret stealer tools</li>
<li><strong>Moving laterally:</strong> credential reuse from vaultsand scripts</li>
<li><strong>Establishing persistence:</strong> init.d, rc.local, or systemd file changes to ensure BRICKSTORM starts on appliance reboot</li>
<li><strong>Completing mission:</strong> exploiting Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes to access the email mailboxes of target accounts</li>
</ol>
<h2><strong>Inside the BRICKSTORM Backdoor</strong></h2>
<h3><strong>BRICKSTORM Forensics Analysis</strong></h3>
<p>BRICKSTORM is a Go backdoor targeting VMware vCenter servers.</p>
<p>According to <a href="https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement" target="_blank">a previous Google report</a>, published in April 2024, the backdoor supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.</p>
<p>BRICKSTORM communicates over WebSockets to a hard-coded command-and-control(C2) server.</p>
<p>Upon execution, BRICKSTORM checks for an environment variable, WRITE_LOG, to determine if the file needs to be executed as a child process. If the variable returns false or is unset, it will copy the BRICKSTORM sample from /home/vsphere-ui/vcli to /opt/vmware/sbin as vami-httpd. It will then execute the copied BRICKSTORM sample and terminate execution.</p>
<p>If WRITE_LOG is set to true, it assumes it is running as the correct process, deletes /opt/vmware/sbin/vami-httpd, and continues execution.</p>
<p>BRICKSTORM contains a separate function called Watcher, which contains self-monitoring functionality. If the environment variable WORKER returns false or is unset, it will continue the monitoring, checking for the file /home/vsphere-ui/vcli and copying the contents over to /opt/vmware/sbin/vami-httpd. Then, it sets the appropriate environment variables and spawns the process. The watcher process then begins monitoring the exit status of the child process.</p>
<p>If it finds the environment variable WORKER is set to true, it assumes it is a spawned worker process meant to execute the backdoor functionality and skips the remainder of the Watcher function.</p>
<p>BRICKSTORM communicates with the C2 using WebSockets. This sample contains a hard-coded WebSocket address of wss://opra1.oprawh.workers[.]dev. Additionally, it contains the following legitimate DNS over HTTPS (DoH) addresses.</p>
<h3><strong>BRICKSTORM Deployment</strong></h3>
<p>Typically, threat actors deploy the backdoor to a network appliance before pivoting to VMware systems.</p>
<p>The hackers then move laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances.</p>
<p>In April 2025, European cybersecurity company NVISO discovered two new BRICKSTORM samples affecting Windows environments.</p>
<p>These samples had been used to <a href="https://www.infosecurity-magazine.com/news/china-hackers-brickstorm-backdoor/" target="_blank">spy on European organizations via Windows</a> since at least 2022, NVISO said.</p>
<p>While Google has acknowledged the NVISO report, it said it has not observed BRISTORM Windows-focused variants in any investigation to date.</p>
<p>Google’s Mandiant has released a scanner script that can run on *nix-based appliances and other systems without requiring YARA to be installed.</p>
<p>The tool is designed to replicate a specific YARA rule (G_APT_Backdoor_BRICKSTORM_3) by searching for a combination of strings and hex patterns unique to the backdoor.</p>
</div>