Recognize Brickstorm malware
Table of Contents
In the face of increasing geopolitical tensions,the threat is intensified by APTs. State-funded actors are increasingly aiming at critical infrastructures, financial systems and government networks through zero-day exploits, Spearphishing and advanced malware.
China continues to dominate the apt landscape, whereby groups from China, North Korea, Iran and Russia show increasing sophistication and adaptability in 2024, as the Cyberhreat report from Trellix states. These actors are among the most active worldwide and use cyber operations to advance thier geopolitical goals.Cyber espionage has come to the fore, wiht the campaigns becoming more targeted, hidden and technically more advanced.
The recently discovered Brickstorm malware campaign illustrates this progress and uses a highly developed, multi-stage approach to infiltrate organizations in the legal sector. Their techniques underline the increasing precision of modern espionage operations and the urgent need for defenders to anticipate and counter these threats.
Register for the SOC Prime Platform and access the latest CTI & curated Sigma rules that address the Brickstorm malware attacks. Just press the Explore discoveries Button below and deepen yourself into a relevant detection stack that is compatible with several siem, EDR and Data Lake solutions, aligned with Mitre Att & Ck, and enriched with feasible CTI.
[Explore discoveries]
Cyber defenders who are looking for content updates to recognize Brickstorm malware can browse the Threat Detection Marketplace by using the day “Brickstorm” or using the “APT” day to explore a wider collection against state actors.
In order to facilitate the threat examination, security experts Unocoder AI, an IDE and CO pilot could use for recognizing the recognition logic, which has now been improved with a new AI chat bot mode and the MCP tools. With untroder, defenders can immediately convert IOCs into custom hunting inquiries, create recognition code from raw threat reports, generate Attack Flow diagrams, activate AT & CK-Tag forecasts, use AI-controlled query optimization and translate identif
UNC5221: A Deep Dive into a Sophisticated China-Linked Threat Actor
A highly sophisticated threat actor, designated UNC5221 and linked to VR China, has been actively targeting organizations with advanced security measures, focusing on intellectual property and espionage. This actor demonstrates a remarkable ability to exploit legitimate credentials,leverage zero-day vulnerabilities,and maintain persistence within compromised networks. This report details UNC5221’s tactics, techniques, and procedures (TTPs), based on recent observations and analyses, and highlights the importance of proactive defense strategies.
Initial Access and lateral Movement
UNC5221 frequently gains initial access using valid login credentials, often obtained through compromised password stores or discovered within PowerShell scripts. Attackers have been observed establishing SSH connections using these legitimate credentials. Notably, they exploit access points like the ESXi web interface and Vami to deploy their malware, specifically Brickstorm, before further compromising systems.
Once inside a network, UNC5221 employs lateral movement techniques to expand its reach. This includes utilizing valid credentials to access VMware environments and establishing persistence through modifications to system startup files, such as init.d, rc.local, and systemd unit files. They also leverage web shells, specifically a variant known as “slaystyle” (alias Beeflush), to execute operating system commands via HTTP requests. This allows for remote control and further exploitation of the compromised habitat.
Targeting of Credentials and Sensitive Data
A key component of UNC5221’s strategy involves targeting the email accounts of key personnel. They exploit Microsoft entra ID Enterprise request permissions, specifically the mail.read and full_access_as_app scopes, to gain access to entire mailboxes. Targets include developers, system administrators, and individuals connected to the actor’s economic or espionage objectives. This access allows them to harvest credentials, identify valuable data, and map the internal network.
For data exfiltration, UNC5221 utilizes brickstorm’s SOCKS proxy to tunnel traffic and mask their activity. They then log into internal code repositories using stolen credentials to download archives or directly browse sensitive data via UNC paths. While Brickstorm is sometimes removed after data theft, forensic analysis of backups often reveals its prior presence, indicating a deliberate and phased approach.
Brickstorm: A Key Tool in the UNC5221 Arsenal
Brickstorm is a custom malware suite used extensively by UNC5221. It provides a range of capabilities,including:
* SOCKS Proxy: Enables tunneling and obfuscation of network traffic.
* Credential Harvesting: Facilitates the theft of usernames and passwords.
* Remote Access: Allows attackers to control compromised systems.
* Data Exfiltration: Supports the transfer of stolen data.
The use of Brickstorm underscores the advanced nature of this operation and the actor’s commitment to developing and deploying custom tools.
Implications and Mitigation Strategies
UNC5221 represents a significant threat due to its advanced capabilities, targeted approach, and connection to a nation-state actor. Their ability to exploit zero-day vulnerabilities and leverage legitimate credentials makes detection and prevention notably challenging.
Organizations should prioritize the following mitigation strategies:
* Strong Authentication: Implement multi-factor authentication (MFA) for all critical systems and accounts.
* Credential Monitoring: Continuously monitor for compromised credentials and enforce strong password policies.
* Network Segmentation: Isolate critical systems and data to limit the impact of a breach.
* Regular Security Audits: Conduct regular security assessments to identify and address vulnerabilities.
* Threat Intelligence: Leverage threat intelligence feeds, such as those provided by SOC Prime, to stay informed about the latest TTPs and indicators of compromise (IOCs).
* Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.
* Zero Trust Architecture: Implement a Zero Trust security model to verify every user and device before granting access to resources.
Key Takeaways
* UNC5221 is a sophisticated threat actor linked to VR China.
* They prioritize gaining access through legitimate credentials and exploiting vulnerabilities.
* Brickstorm is a key malware suite used for tunneling, credential harvesting, and data exfiltration.
* Proactive defense strategies, including strong authentication, credential monitoring, and threat intelligence, are crucial for mitigating the risk posed by this actor.
The UNC5221 campaign highlights the evolving threat landscape and the need for organizations to adopt a proactive and layered security approach.Continuous monitoring, threat