The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) in releasing a Brickstorm malware analysis report.
This joint report warns that People’s Republic of China (PRC) state-sponsored threat actors are using Brickstorm malware for long-term persistence on victims’ systems. This activity has been primarily observed on government services and facilities and information technology sector organizations. The report also provides indicators of compromise (IoCs) and detection signatures based off analysis of 8 Brickstorm samples.
Brickstorm malware is a sophisticated backdoor for Linux, specifically VMware vCenter servers, VMKernel (VMware ESXI), and Windows environments. PRC state-sponsored threat actors have been observed targeting VMware vSphere platforms. Once compromised, the actors can use their access to vCenter to steal cloned virtual machine (VM) snapshots for credential extraction and create rogue VMs hidden from the vCenter management console.
We urge organizations to use the IoCs and detection signatures in this malware analysis report to identify Brickstorm malware samples.
Read the full joint publication: Malware analysis report – Brickstorm Backdoor