Designed to work in virtualized environments
The CISA, NSA, and Canadian Cyber Center analysts note that some of the BRICKSTORM samples are virtualization-aware and they create a virtual socket (VSOCK) interface that enables inter-VM communication and data exfiltration.
The malware also checks the environment upon execution to ensure it’s running as a child process and from a specific path. This is part of a set of self-monitoring capabilities that ensure its persistence by reinstalling and executing itself if it detects something is not running correctly.
The malware mimics web server functionality for its command-and-control (C2) communication to blend in with legitimate traffic. It also provides a SOCKS5 proxy for attackers to tunnel traffic during lateral movement operations.
In terms of features, BRICKSTORM allows threat actors to browse the file system and execute shell commands, providing them with complete control over the compromised system.
“Once the secure connection to the C2 domain is established, Sample 1 uses a custom Go package wssoft2 to manage incoming network connections and to process commands it receives,” the CISA analysts said. “Commands are directed to one of three handlers based on the function it needs: SOCKS Handler, Web Service Handler, and Command Handler.”
Mitigations
The joint advisory includes indicators of compromise for the analyzed samples as well as YARA and Sigma detection rules. The agencies also make the following recommendations:
