BRICKSTORM Malware: A Sophisticated Threat to VMware ESXi and Windows Systems
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security have jointly issued a critical advisory concerning a new malware campaign known as BRICKSTORM. This advanced backdoor, attributed to state-sponsored cyber actors from the People’s Republic of China (PRC), is engineered to establish persistent access within government and information technology networks, specifically targeting VMware vSphere and Windows environments.
Understanding BRICKSTORM
BRICKSTORM is a custom backdoor developed using the Go programming language, designed to infiltrate and maintain control over virtualized infrastructures. Its primary targets include VMware vCenter servers and ESXi hosts, enabling attackers to manipulate virtual machines (VMs) directly.
Advanced Command-and-Control Mechanisms
The malware employs sophisticated command-and-control (C2) techniques to evade detection:
– DNS-over-HTTPS (DoH): BRICKSTORM resolves malicious domains through legitimate public resolvers like Cloudflare and Google, blending its traffic with normal network activity.
– Encrypted Communication: After identifying a C2 server, the malware establishes a standard HTTPS connection, which is then upgraded to a WebSocket connection with additional layers of Transport Layer Security (TLS) encryption.
– Multiplexing: Utilizing libraries such as smux or Yamux, BRICKSTORM can run multiple data streams, including interactive shells and file transfers, within a single encrypted connection.
Documented Incident
A notable incident highlighted in the advisory details how PRC actors maintained access to a victim’s network from April 2024 through at least September 2025. The attack sequence was as follows:
1. Initial Compromise: Attackers infiltrated a web server located in the organization’s Demilitarized Zone (DMZ).
2. Lateral Movement: They moved laterally to internal domain controllers and an Active Directory Federation Services (ADFS) server.
3. Deployment of BRICKSTORM: The malware was deployed on a VMware vCenter server, allowing attackers to:
– Steal VM Snapshots: Extract credentials and sensitive data.
– Create Rogue VMs: Operate unauthorized virtual machines alongside legitimate ones, remaining undetected.
4. Compromise of ADFS Server: Attackers exported cryptographic keys, potentially enabling the forging of authentication tokens.
Key Capabilities of BRICKSTORM
BRICKSTORM possesses several advanced features that enhance its effectiveness:
– Self-Preservation: Incorporates a self-watcher function that automatically reinstalls the malware if its process is terminated or disrupted.
– Protocol Tunneling: Implements SOCKS proxies to tunnel traffic via TCP, UDP, and ICMP, facilitating stealthy lateral movement across segmented networks.
– Virtualization Targeting: Certain variants utilize Virtual Socket (VSOCK) interfaces for inter-VM communication, allowing data exfiltration without detection by standard network monitoring tools.
Recommendations for Organizations
CISA and its partners strongly advise organizations, especially those in government and critical infrastructure sectors, to take immediate action:
1. Upgrade VMware vSphere Servers: Ensure servers are updated to the latest versions to mitigate vulnerabilities.
2. Restrict Network Connectivity: Limit connections from edge devices to internal resources to reduce potential attack vectors.
3. Block Unauthorized DoH Traffic: Prevent the malware from resolving its C2 infrastructure by blocking unauthorized DNS-over-HTTPS traffic.
4. Monitor Service Accounts: Increase surveillance on service accounts, which were heavily exploited during observed attacks.
Additionally, since BRICKSTORM modifies system initialization files (e.g., /etc/sysconfig/init) to survive reboots, organizations should supplement standard forensic scans with disk-based analysis to detect these static persistence mechanisms.
Conclusion
The emergence of BRICKSTORM underscores the evolving sophistication of state-sponsored cyber threats. Organizations must adopt a proactive and comprehensive cybersecurity strategy to defend against such advanced persistent threats.
