BRICKSTORM Backdoor

A suspected China-aligned cyber espionage group has been targeting companies in the U.S. legal services, software-as-a-service (SaaS), Business Process Outsourcing (BPO), and technology sectors. The objective: deliver a highly capable backdoor known as BRICKSTORM.

Attributed to UNC5221 and closely related threat clusters, these intrusions aim to maintain persistent access to victim networks for over a year, often targeting SaaS providers to reach downstream customer environments or data hosted on their behalf. In the legal and tech sectors, the attacks appear motivated by the theft of intellectual property, intelligence related to national security, and information relevant to international trade.

BRICKSTORM: The Backdoor That Stays Hidden

First observed last year, BRICKSTORM was linked to the exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been active in European Windows environments since at least November 2022.

BRICKSTORM, written in Go, includes capabilities to:

• Act as a web server.
• Manipulate file systems and directories.
• Upload/download files and execute shell commands.
• Operate as a SOCKS proxy.
• Communicate with a Command-and-Control (C2) server via WebSockets.

The malware is designed to evade detection, especially on appliances without traditional endpoint detection and response (EDR) coverage. Its stealthy architecture enables the attackers to remain undetected for an average of 393 days.

Advanced Techniques for Stealth and Persistence

The threat actors employ highly sophisticated techniques for lateral movement and persistence:

Exploitation and initial access: At least one attack leveraged Ivanti Connect Secure edge device vulnerabilities to deploy BRICKSTORM. Other deployments on Linux and BSD-based appliances remain difficult to trace due to the actors’ careful erasure of activity traces.

Agile malware development: Some BRICKSTORM samples include a “delay” timer that postpones communication with C2 servers for months. In one instance, the malware was deployed on a VMware vCenter server after incident response had begun, demonstrating operational agility.

Privilege escalation via BRICKSTEAL: A malicious Java Servlet filter on Apache Tomcat was used to capture vCenter credentials. The attackers then cloned Windows Server VMs for critical systems such as Domain Controllers, SSO identity providers, and secret vaults.

In-memory modifications: By using a custom dropper, attackers applied configuration changes entirely in memory, avoiding application restarts and detection.

Persistence methods: Modifications to init.d, rc.local, or systemd files, along with deployment of JSP web shells like SLAYSTYLE (aka BEEFLUSH), ensure BRICKSTORM automatically restarts on appliance reboot and executes arbitrary OS commands.

Strategic Objectives and Impact

The primary goal of this campaign is targeted data exfiltration, focusing on emails and accounts of developers, system administrators, and personnel involved in sensitive areas aligned with China’s economic and espionage interests. Using the SOCKS proxy capability, attackers can tunnel into applications of interest and pivot to downstream SaaS customers or identify zero-day vulnerabilities for future campaigns.

The BRICKSTORM campaign represents a highly sophisticated threat, capable of bypassing advanced enterprise defenses and focusing on high-value targets.