The Chinese group associated with the harmful actor of the UnC5221 has launched a large-scale spy campaign using new versions of the malicious Brickstorm program. Since the end of 2022, European companies operating in strategic industries have regularly become its targets. Previously, Trojan was limited to attacks on the Vcenter Linux servers, but now there are versions for Windows with advanced capabilities of detection and secretive management.
According to analysis specialists from NVISO, Windows option Brickstorm is written on GO 1.13.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5 and is distinguished by the lack of a direct function of the execution of commands. Instead, attackers use the module of traffic tunneling, allowing them to use the RDP and SMB protocols using stolen accounts. This approach helps to avoid detecting means that tracks the connection between parental and daughter processes.
File control system in Brickstorm is built on an HTTP API with a JSON structure through which attackers can download, upload, and modify files. The tunneling module supports TCP, UDP, and ICMP protocols, which allows them to move deep into the victim’s infrastructure. In the latest versions, the iPaddrs parameter is introduced – the list of stiffly specified IP addresses, which provides work even with limiting DNS-OVER-HTTPS.
The early versions of the malicious were completely relied on the doh-quructions through the services of Quad9 and Cloudflare, embedding DNS queries into HTTPS posts. This made it possible to bypass the traditional means of monitoring the DNS traffic. New samples flexibly switch between doh and direct IP, adapting to the network conditions.
Brickstorm uses a three-layer architecture of traffic hiding with nailed TLS connections. The outer layer is legitimate HTTPS sessions for platforms without a server part, such as Cloudflare Workers and Heroku, with valid certificates. The middle layer includes the upgrade of the connection to WebSocket and the secondary TLS-coating with authentication on the static key. The internal level uses the Hashicorp Yamhicorp library for multiplexing C2-active, including tunneling and theft of files.
Even when intercepting an external HTTPS traffic, the main control flow remains encrypted and hidden. Analysts also recorded the leaks of the IP addresses from the Brickstorm intermediate infrastructure during technical work. Among them, VPS addresses placed on