BRICKSTORM Backdoor: China-Linked Malware Targets VMware & Windows Systems

The **BRICKSTORM backdoor**, attributed to China-state-sponsored cyber actors, is targeting **VMware vSphere** and **Windows** environments for long-term persistence and data exfiltration. CISA, NSA, and the Canadian Cyber Centre have released IOCs, YARA rules, and Sigma rules to help organizations detect and mitigate this threat. Victims include government and IT sectors, with attackers leveraging stolen credentials and rogue VMs for lateral movement.

---
title: "BRICKSTORM Backdoor: China-Linked Malware Targets VMware & Windows Systems"
short_title: "BRICKSTORM backdoor targets VMware systems"
description: "CISA, NSA, and Cyber Centre warn of BRICKSTORM, a stealthy China-linked backdoor targeting VMware vSphere and Windows. Learn detection, mitigation, and IOCs to protect critical infrastructure."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Malware]
tags: [brickstorm, malware, vmware, china-apt, backdoor]
score: 0.87
cve_ids: []
---

TL;DR


The BRICKSTORM backdoor, attributed to China-state-sponsored cyber actors, is targeting VMware vSphere and Windows environments for long-term persistence and data exfiltration. CISA, NSA, and the Canadian Cyber Centre have released IOCs, YARA rules, and Sigma rules to help organizations detect and mitigate this threat. Victims include government and IT sectors, with attackers leveraging stolen credentials and rogue VMs for lateral movement.

---

Main Content

Introduction


The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) have issued a joint advisory warning of BRICKSTORM, a sophisticated backdoor malware linked to People’s Republic of China (PRC) state-sponsored cyber actors. This malware is designed for long-term persistence in victim systems, primarily targeting VMware vSphere (vCenter servers and ESXi) and Windows environments.

BRICKSTORM enables threat actors to maintain stealthy access, exfiltrate data, and move laterally within compromised networks. Victim organizations span government services and information technology (IT) sectors, with evidence of exploitation dating back to April 2024. This article explores the malware’s capabilities, delivery methods, detection techniques, and mitigation strategies.

---

Key Points


- Attribution: BRICKSTORM is linked to PRC state-sponsored cyber actors, with victims primarily in government and IT sectors.
- Targeted Systems: VMware vSphere (vCenter and ESXi) and Windows environments.
- Capabilities: Long-term persistence, command and control (C2) communication, lateral movement, and data exfiltration.
- Detection: CISA has released YARA and Sigma rules to identify BRICKSTORM samples and activity.
- Mitigation: Upgrade VMware systems, harden configurations, and monitor for suspicious activity.

---

Technical Details

#### Malware Overview
BRICKSTORM is a Go-based backdoor compiled in Executable and Linkable Format (ELF) for Linux and Windows. It employs multiple layers of encryption (HTTPS, WebSockets, nested TLS) to conceal C2 communications. The malware also uses DNS-over-HTTPS (DoH) to blend malicious traffic with legitimate queries, making detection challenging.

#### Delivery and Exploitation
At a victim organization, PRC cyber actors gained initial access via a web shell on a DMZ web server. They then:
1. Moved laterally using Remote Desktop Protocol (RDP) and Server Message Block (SMB).
2. Compromised domain controllers and Active Directory Federation Services (ADFS) servers.
3. Exfiltrated cryptographic keys and Active Directory databases (`ntds.dit`).
4. Deployed BRICKSTORM on VMware vCenter servers to maintain persistence.

#### Persistence Mechanisms
BRICKSTORM ensures persistence through:
- Self-watching functions that reinstall or restart the malware if disrupted.
- Modification of system `init` files to execute during bootup.
- Environment variable manipulation to prioritize malicious binaries.

#### Command and Control (C2)
BRICKSTORM establishes secure C2 channels using:
- HTTPS and WebSockets with nested TLS encryption.
- Multiplexing (via `smux` and `Yamux` libraries) to conceal multiple commands within a single encrypted stream.
- SOCKS proxies for lateral movement and tunneling.

#### Sample Analysis
CISA analyzed eight BRICKSTORM samples, revealing variations in functionality:
- Samples 1-6: Target VMware vSphere environments, using DoH for C2 resolution.
- Samples 7-8: Designed for virtualized environments, leveraging VSOCK interfaces for inter-VM communication and persistence.

---

Impact Assessment


BRICKSTORM poses a significant threat to organizations due to its:
- Stealthy persistence: Evades detection through encryption and legitimate traffic mimicry.
- Lateral movement capabilities: Enables compromise of additional systems via SOCKS proxies.
- Data exfiltration: Facilitates theft of sensitive information, including credentials and cryptographic keys.
- Targeting of critical infrastructure: Government and IT sectors are primary victims, with potential for widespread disruption.

---

Detection


CISA has released YARA and Sigma rules to detect BRICKSTORM activity:

#### YARA Rules
Two YARA rules are provided to identify BRICKSTORM samples based on unique strings and code patterns. These rules target:
- Environment variable checks and persistence mechanisms.
- C2 communication patterns, including DoH queries and WebSocket connections.

#### Sigma Rule
The Sigma rule detects BRICKSTORM-related activity in vCenter logs, including:
- Cloning or destroying VMs.
- Suspicious API calls (e.g., `/rest/com/vmware/cis/session`).
- Unauthorized file modifications (e.g., `/etc/sysconfig/init`).

#### Additional Resources
- Google Mandiant’s TTP-based hunt guidance and YARA rules: [Link](https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign).
- NVISO’s analysis of Windows-based BRICKSTORM variants: [Link](https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor).
- CrowdStrike’s VirtualGHOST script to identify unregistered VMware VMs: [Link](https://github.com/CrowdStrike/VirtualGHOST).

---

Mitigation Steps


CISA, NSA, and Cyber Centre recommend the following mitigations:

1. Upgrade VMware vSphere to the latest version to patch known vulnerabilities.
2. Harden VMware environments using [VMware’s security guidelines](https://github.com/vmware/vcf-security-and-compliance-guidelines).
3. Monitor network edge devices for suspicious activity, particularly DoH traffic and unauthorized RDP/SMB connections.
4. Disable RDP and SMB from the DMZ to internal networks.
5. Apply the principle of least privilege to service accounts and monitor for unusual activity.
6. Block unauthorized DoH providers to reduce unmonitored communications.

---

Conclusion


The BRICKSTORM backdoor represents a highly sophisticated threat from PRC state-sponsored actors, targeting VMware and Windows environments for espionage and data exfiltration. Organizations must prioritize detection and mitigation using the provided IOCs, YARA rules, and Sigma rules. By upgrading systems, hardening configurations, and monitoring for suspicious activity, defenders can reduce the risk of compromise and limit the impact of this stealthy malware.

---

References


[^1]: CISA. "[Malware Analysis Report: BRICKSTORM Backdoor](https://www.cisa.gov/news-events/analysis-reports/ar25-338a)". Retrieved 2025-01-24.
[^2]: Google Cloud Blog. "[Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors](https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign)". Retrieved 2025-01-24.
[^3]: NVISO. "[NVISO Analyzes BRICKSTORM Espionage Backdoor](https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor)". Retrieved 2025-01-24.