A recent report by European cybersecurity company NVISO has unveiled alarming findings regarding the use of a Chinese cyber espionage tool known as BRICKSTORM. Initially designed to target Linux systems, this tool has now been adapted to infiltrate Windows environments and has been used in a series of espionage campaigns targeting European organizations.
The NVISO researchers uncovered two new samples of BRICKSTORM designed for Windows systems. These executable files, written in Go, equip attackers with file management and network tunneling capabilities, enabling them to navigate through networks undetected. While these Windows samples operate slightly differently from their Linux-focused counterparts, they are just as effective in achieving the attackers’ goals.
Unlike the Linux samples analyzed earlier by Mandiant, the Windows versions of BRICKSTORM lack direct command execution capabilities. Instead, the attackers have been observed utilizing the malware’s network tunneling features in combination with valid credentials to exploit protocols like Remote Desktop Protocol (RDP) and Server Message Block (SMB) for executing commands. The malware also leverages DNS over HTTPS (DoH) for communication with command-and-control servers, making it harder to detect and track.
Furthermore, the attackers behind BRICKSTORM have been using serverless providers such as Cloudflare and Heroku for their command-and-control infrastructure. This choice of infrastructure allows the threat actors to conceal their activities by utilizing shared and distributed IP addresses, a common tactic within the cyber threat landscape.
Despite its seemingly basic functionalities, BRICKSTORM has proven to be highly effective in evading standard security controls and maintaining persistence within targeted environments. The researchers at NVISO emphasized the importance of organizations in at-risk industries enhancing their security measures and remaining vigilant for any unusual or suspicious activities within their networks.
The discovery of these new Windows samples of BRICKSTORM serves as a reminder of the ever-evolving nature of cyber threats and the importance of staying ahead of adversarial tactics. Organizations must constantly reassess their security posture and conduct regular audits to detect and respond to potential threats promptly.
As cyber espionage campaigns continue to target European industries, the need for robust cybersecurity measures has never been more critical. By understanding the capabilities of tools like BRICKSTORM and implementing proactive defense strategies, organizations can better protect their sensitive data and networks from malicious actors.