Brickstorm Malware

Aegiron 13 mins0

Brickstorm Malware — Detailed Overview and Detection Guide

What Is Brickstorm?

Brickstorm is a stealthy malware backdoor used by China-linked advanced persistent threat (APT) groups, specifically Warp Panda and UNC5221, to gain long-term control over critical infrastructure systems. Its main focus is on VMware vCenter servers and VMware ESXi hosts, which are key components for managing virtualized environments in organizations.

Once deployed, Brickstorm allows attackers to remain hidden inside these systems, conducting espionage, data theft, and credential harvesting. The malware is specifically designed to evade traditional security measures, making it extremely difficult to detect for months or even years. This makes it a major threat to national security and businesses that rely on VMware technologies for managing their virtual infrastructure.

Why Is Brickstorm Dangerous?

There are several reasons why Brickstorm is considered a highly dangerous malware:

  • Persistence: Once installed, it can remain in the system for months or even years without being detected.
  • Stealth: Brickstorm hides its presence by masquerading as legitimate system processes, making it hard for security tools to identify it.
  • Advanced Evasion: It encrypts its communication using methods like DNS-over-HTTPS (DoH) to blend in with normal network traffic, further evading detection.
  • High-Privilege Access: Once inside, it gives attackers full control over virtual machines and critical infrastructure systems, allowing them to do anything from exfiltrating sensitive data to installing additional malware.

Main Features of Brickstorm

  • Targets VMware Infrastructure: The malware specifically targets vCenter (management server) and ESXi (hypervisor) systems that control virtual environments.
  • Stealthy Operation: It avoids detection by using encrypted communications and by masquerading as legitimate system services.
  • Long-Term Access: Once in, Brickstorm allows attackers to maintain long-term access to the compromised systems, exfiltrating data and stealing credentials as they see fit.
  • Advanced Reconnaissance: It can move laterally through the network, gain access to privileged accounts, and deploy additional backdoors.

How Brickstorm Works — Step by Step

  1. Initial Access
    • Attackers begin by exploiting exposed systems such as web servers, VPN appliances, or other internet-facing devices.
    • Common methods include using stolen or guessed credentials, exploiting vulnerabilities, or taking advantage of web shells (backdoors left behind by previous attacks).
  2. Lateral Movement
    • Once inside the network, attackers look for privileged systems like Domain Controllers (which manage users and credentials) and VMware vCenter (which manages the virtual machines).
    • Attackers typically use tools like RDP (Remote Desktop Protocol) and SSH, along with stolen service account credentials, to move through the network.
  3. Implanting Brickstorm
    • On key systems like vCenter, attackers deploy the Brickstorm backdoor. It hides itself by:
      • Masquerading as legitimate system services (appearing as normal processes).
      • Editing boot configurations to ensure the malware starts automatically on reboot.
      • Reinstalling itself if someone tries to remove it.
  4. Establishing Secret Communication
    • Brickstorm uses encrypted channels to communicate with external command-and-control servers. This includes using HTTPS inside WebSockets and DNS-over-HTTPS (DoH) to blend in with normal web traffic, making it harder for network monitoring tools to spot.
  5. Full Backdoor Access
    • After installation, Brickstorm provides attackers with:
      • Interactive shell access (remote control console).
      • File upload and download abilities to exfiltrate sensitive data.
      • SOCKS proxy services, which allow attackers to pivot and move deeper into the network.
      • Credential harvesting by taking VM snapshots and extracting stored credentials.
      • The ability to spin up rogue virtual machines to mask their activities and maintain access.

What Makes Brickstorm Special

  • Targets Infrastructure, Not Just Endpoints: Unlike typical malware that targets individual computers, Brickstorm focuses on the core systems that manage large parts of an organization’s digital infrastructure. This makes it much more dangerous as it can affect many systems at once.
  • Long-Term Persistence: Brickstorm has been known to remain undetected for over a year in some cases. It doesn’t just infect a machine and disappear—it silently remains for months or even years, providing attackers with continuous access.
  • Camouflaged Communications: The malware hides its communication with its command-and-control servers by using encryption and legitimate web traffic protocols. This allows it to blend in with normal network traffic, which makes it difficult to detect by traditional monitoring systems.
  • Advanced Evasion: Even if someone tries to remove it, Brickstorm can restart itself and reinstate its services, making it hard to fully eradicate. It mimics legitimate system processes to avoid detection by security tools.

Who Is Behind Brickstorm?

Brickstorm is linked to China‑sponsored threat groups, specifically Warp Panda and UNC5221. These groups are known for their long-term espionage campaigns. Unlike cybercriminals who seek quick financial gain, these attackers are interested in strategic data collection and long-term access to networks and systems.

Victims of Brickstorm include:

  • Government agencies
  • Information technology companies
  • Legal, SaaS, and manufacturing firms
  • Organizations across North America and Asia-Pacific

The goal is to maintain access to critical systems for espionage—to steal data, harvest credentials, and monitor communications—rather than short-term profit.

Indicators of Compromise (IOCs) for Brickstorm

Here are key IOCs that can help identify Brickstorm activity on your network:

File Hashes (SHA256)

These are fingerprints of known malicious files associated with Brickstorm:

  • 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557
  • 40db68331cb52dd3ffa0698144d1e6919779ff432e280c058e41f7b93cec042
  • 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed
  • 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806

Suspicious Network IPs

These IP addresses are linked to Brickstorm’s command-and-control servers:

  • 208.83.233[.]14
  • 149.28.120[.]31

Network Traffic Indicators

  • DNS-over-HTTPS (DoH) queries to suspicious domains.
  • Outbound WebSocket traffic over HTTPS that doesn’t match normal traffic patterns.

Sigma Detection Rules for Brickstorm Malware

To help security teams identify Brickstorm activities, the following Sigma rules can be used:

Sigma Rule 1: Detecting Suspicious DNS Traffic (DoH)

This rule looks for DNS-over-HTTPS (DoH) traffic to detect Brickstorm C2 communication:

title: Detect Suspicious DNS-over-HTTPS Traffic (Brickstorm)

id: efd91c6c-41fb-423d-bff9-4c8b825b2de9

status: experimental

description: |

Detects DNS-over-HTTPS traffic to suspicious or known bad IPs associated with Brickstorm.

author: Threat Intelligence Team

date: 2025-12-12

logsource:

category: network

product: network_traffic

detection:

selection:

protocol: dns

dns_query:

– “*brickstorm*”

dns_flags:

– “doH”

condition: selection

fields:

– dns_query

– source_ip

– destination_ip

– destination_port

– timestamp

falsepositives:

– Legitimate internal DNS traffic for cloud services

level: high

Sigma Rule 2: Detecting Unusual WebSocket Communications

Detects suspicious WebSocket traffic used for C2 communication:

title: Detect Suspicious WebSocket Communication (Brickstorm)

id: 537f4a29-ded4-4b1f-bb5b-569ff029faaf

status: experimental

description: |

Detects WebSocket traffic that is unusual for the environment, which could indicate Brickstorm C2 activity.

author: Threat Intelligence Team

date: 2025-12-12

logsource:

category: network

product: web

detection:

selection:

protocol: tcp

destination_port: 443

user_agent:

– “*WebSocket*”

tls_cipher_suite:

– “TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”

condition: selection

fields:

– source_ip

– destination_ip

– destination_port

– user_agent

– timestamp

falsepositives:

– Legitimate internal WebSocket traffic (for real-time applications)

level: high

What Should You Do if You Detect Brickstorm?

  1. Disconnect Affected Systems: Immediately isolate the compromised vCenter and ESXi hosts from the network.
  2. Review Logs and Systems: Analyze logs for unusual activities such as unauthorized VM creation, WebSocket connections, and suspicious DNS traffic.
  3. Change Credentials: Reset all privileged credentials for VMware systems and other core infrastructure.
  4. Apply Security Patches: Ensure that all VMware software is fully updated to mitigate known vulnerabilities.
  5. Conduct a Full Network Scan: Perform a comprehensive scan to ensure no other devices or systems are compromised.

In Summary

Brickstorm is a highly sophisticated malware that targets VMware infrastructures for long-term espionage. It hides in the background, communicates secretly, and gives attackers control over virtualized environments. By monitoring network traffic, logs, and using detection tools like Sigma rules, you can identify signs of this malware and protect your organization.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.