Designed to work in virtualized environments
The CISA, NSA, and Canadian Cyber Middle analysts be aware that a number of the BRICKSTORM samples are virtualization-aware they usually create a digital socket (VSOCK) interface that allows inter-VM communication and information exfiltration.
The malware additionally checks the surroundings upon execution to make sure it’s operating as a baby course of and from a particular path. That is a part of a set of self-monitoring capabilities that guarantee its persistence by reinstalling and executing itself if it detects one thing will not be operating appropriately.
The malware mimics internet server performance for its command-and-control (C2) communication to mix in with legit site visitors. It additionally offers a SOCKS5 proxy for attackers to tunnel site visitors throughout lateral motion operations.
By way of options, BRICKSTORM permits menace actors to browse the file system and execute shell instructions, offering them with full management over the compromised system.
“As soon as the safe connection to the C2 area is established, Pattern 1 makes use of a customized Go bundle wssoft2 to handle incoming community connections and to course of instructions it receives,” the CISA analysts stated. “Instructions are directed to one in all three handlers based mostly on the perform it wants: SOCKS Handler, Net Service Handler, and Command Handler.”
Mitigations
The joint advisory contains indicators of compromise for the analyzed samples in addition to YARA and Sigma detection guidelines. The businesses additionally make the next suggestions:
