NVISO has uncovered a Windows variant of the BRICKSTORM malware connected to the Chinese group UNC5221, indicating its use in a discrete espionage campaign since at least 2022. This malware targets European industries to steal industrial secrets and is characterized by its stealthy nature. The analysis revealed that BRICKSTORM operates in both Windows and Linux environments, utilizing sophisticated techniques to avoid detection, including leveraging legitimate cloud services and encrypting communication. Notably, the malware's advanced capabilities include file management and network tunneling, complicated by its use of DNS over HTTPS for command and control.
"The BRICKSTORM family resolves its Command & Control servers through DoH (DNS over HTTPS), hindering most network monitoring solutions."
"The two newly identified BRICKSTORM executables provide attackers with file manager and network tunneling capabilities, allowing adversaries to browse the file system and create/delete features."
Collection
[
|
...
]