Newly identified versions of the BrickStorm backdoor used in the MITRE hack in early 2024 are targeting Windows environments, cybersecurity firm Nviso warns.
To hack MITRE, a Chinese APT tracked as UNC5221 exploited two zero-day vulnerabilities in an Ivanti Connect Secure VPN as early as December 31, 2023, following up with fingerprinting in January 4, 2024, and lateral movement and malware deployment in the next few days.
The hackers deployed the Linux version of the BrickStorm backdoor on VMware vCenter hosts, along with the BeeFlush and WireFire web shells, and exfiltrated data two weeks later, using the BushWalk web shell. The intrusion was discovered in April 2024.
A fresh Nviso technical analysis (PDF) shows that UNC5221 has been targeting European organizations with Windows variants of BrickStorm since at least 2022.
The low-noise backdoor enables attackers to browse the file system, manipulate files and folders, and tunnel network connections, while evading detection by using DoH (DNS over HTTPS) to resolve command-and-control (C&C) servers.
Nviso discovered two samples of BrickStorm for Windows, written in Go and employing scheduled tasks for persistent execution. They lack support for command execution, but employ network tunnelling and stolen credentials to abuse RDP and SMB for similar capabilities.
For file manipulation, the backdoor uses an HTTP API with support for file download, upload, rename, and delete actions. It also enables attackers to create and delete folders, as well as to list their content.
The Windows variants of BrickStorm support TCP, UDP and ICMP relaying for network tunneling, and have been deployed on domain-joined devices using stolen credentials.
The backdoor’s C&C communication is performed over a single, multiplexed connection, which allows it to perform multiple concurrent activities. HashiCorp’s Yamux library is used to establish the encrypted connection.
Public cloud services such as Cloudflare Workers and Heroku applications are used to hide the infrastructure, while the abuse of Cloudflare, Google, NextDNS, and Quad9 for domain name resolution circumvents regular network-level DNS monitoring.
“Although BrickStorm’s file manager and network tunneling functionality could be considered basic, their effectiveness remains undoubted. These recent discoveries of several years-old adversary capabilities, alongside evidence of infrastructure maintenance, highlight the need for at-risk industries to bolster their security posture and continuously audit their environment for rare/uncommon activity,” Nviso notes.
Related: Chinese APT Weaver Ant Targeting Telecom Providers in Asia
Related: Chinese Hacking Group MirrorFace Targeting Europe
Related: Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
Related: New Windows Zero-Day Exploited by Chinese APT: Security Firm