The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks.
Brickstorm is a custom Executable and Linkable Format (ELF) Go-based backdoor that allows attackers to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2).
It initiates by running checks, and maintains persistence by using a self-watching function, automatically reinstalling or restarting if disrupted.
For C2, Brickstorm uses multiple layers of encryption – HTTPS, WebSockets and nested Transport Layer Security (TLS) – to hide its communications with the cyber actors’ C2 server.
CISA warned it also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic.
For remote system control, it gives cyber actors interactive shell access on the system and allows them to…
