Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a time

Brickstorm malware concept image showing a brick flying through shattered glass against a black backdrop. — (Image credit: Getty Images)

The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks.

Brickstorm is a custom Executable and Linkable Format (ELF) Go-based backdoor that allows attackers to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2).

It initiates by running checks, and maintains persistence by using a self-watching function, automatically reinstalling or restarting if disrupted.

For C2, Brickstorm uses multiple layers of encryption - HTTPS, WebSockets and nested Transport Layer Security (TLS) - to hide its communications with the cyber actors’ C2 server.

CISA warned it also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic.

For remote system control, it gives cyber actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files.

Meanwhile, some samples act as a SOCKS proxy, facilitating lateral movement and allowing cyber actors to compromise additional systems.

Jon Baker, VP of threat-informed defense at AttackIQ, warned Brickstorm "excels at remaining undetected within networks"..

"The malware runs continuous health checks on itself, allowing it to reinstall and restart if tampered with, ensuring its continued operation," Baker explained. "All of this comes together to create a stealthy and resilient malware that can spread across networks and remotely take over entire systems."

Brickstorm malware used to target government, IT sectors

CISA warned China-linked threat actors are using the malware strain to target VMware vSphere platforms, mainly in the government and IT sectors. Once compromised, they can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs.

CISA said it had analyzed eight Brickstorm samples obtained from victim organizations, including one where it conducted an incident response engagement.

In this case, the agency said PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded Brickstorm malware to an internal VMware vCenter server.

They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromised the ADFS server and exported cryptographic keys. They used Brickstorm for persistent access to at least 3 September this year.

Gabrielle Hempel, security operations strategist at Exabeam, said a key concern with Brickstorm malware is that it’s “targeting control planes and not just endpoints”, making it a potent weapon in the hands of hackers.

"You’re seeing vSphere, vCenter, and authentication infrastructure being targeted, and this is strategic: once an adversary owns your hypervisor layer, your traditional EDR, NDR, and many SIEM tools become blind to this because the attacker is no longer living in normal host or network telemetry,” Hempel commented.

The US National Security Agency (NSA) is urging organizations — particularly those within critical infrastructure, government services and facilities, and IT — to use the indicators of compromise (IOCs) and detection signatures outlined in the report to detect Brickstorm backdoor activity and promptly report any compromise.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.