- The Significance of Cybersecurity within AI Governance
- The Evolution of SOC: Harnessing Data, AI and Automation
- How to disable ACR on your TV (and stop companies from spying on you)
- I expected this cheap multitool to be a waste of money, but it's my new a toolbox essential
- Have The Last Word Against Ransomware with Immutable Backup
Chinese Hackers Exploit Backdoor to Spy on European Businesses
A Chinese cyber espionage tool initially made for intrusion into Linux systems has been used to spy on European organizations via Windows.
On April 15, European cybersecurity company NVISO published a report with new findings on BRICKSTORM, a backdoor linked to the China-nexus cluster UNC5221 previously believed to target Linux vCenter servers.
In the report, NVISO researchers shared that they discovered two new BRICKSTORM samples affecting Windows environments.
These new samples have been used as part of an active espionage campaign targeting European industries since at least 2022.
BRICKSTORM Windows Samples’ Capabilities
The two new BRICKSTORM samples are Windows executables written in Go. They provide attackers with file management and network tunneling capabilities, allowing them to move laterally and evade detection.
They run slightly differently than Linux-focused BRICKSTORM samples, analyzed by Mandiant in April 2024, in that the Windows samples lack command execution capabilities.
Instead, the attackers have been observed combining the malware’s network tunneling capabilities with valid credentials to exploit common protocols like Remote Desktop Protocol (RDP) and Server Message Block (SMB), effectively achieving similar command execution goals.
The malware uses DNS over HTTPS (DoH) to resolve command-and-control (C2) servers and persistence mechanisms such as scheduled tasks to maintain execution.
These features provide effective means to bypass standard security controls such as DNS monitoring and geo-blocking at the network level.
For C2, BRICKSTORM’s observed configurations exclusively relied on serverless providers such as Cloudflare or Heroku, allowing the threat actor to obfuscate BRICKSTORM’s infrastructure due to the shared and distributed nature of the provider’s IP addresses. The usage of such serverless providers is common within the threat landscape.
Although arguably basic BRICKSTORM’s functionalities are very effective, the researchers noted.
“These recent discoveries of several year-old adversary capabilities, alongside evidence of infrastructure maintenance, highlight the need for at-risk industries to bolster their security posture and continuously audit their environment for rare or uncommon activity,” they added.
