BRICKSTORM Malware Evolves: Deploying Triple-Layer Encryption to Bypass Enterprise Security

Security researchers have identified a sophisticated escalation in cyber espionage operations utilizing the advanced BRICKSTORM malware. Since late 2022, this Chinese-affiliated threat actor, tracked as UNC5221, has systematically targeted European organizations in strategic industries. What began as attacks focused on vCenter Linux servers has now evolved into a comprehensive threat capable of infiltrating Windows enterprise networks with enhanced stealth capabilities.

Advanced Technical Architecture and Evasion Techniques

According to analysis from NVISO, the Windows variant of BRICKSTORM represents a significant advancement in malware sophistication. Key technical characteristics include:

Go-Based Development with Process Isolation

The Windows variant is developed using Go 1.13.5 and employs an unusual approach to command execution. Rather than directly executing commands, which would create detectable parent-child process relationships, BRICKSTORM implements:

• A traffic tunneling module enabling RDP and SMB protocol exploitation using compromised credentials
• File management through an HTTP API with JSON structure for uploading, downloading, and modifying files
• Support for TCP, UDP, and ICMP protocols to facilitate deep lateral movement within compromised networks

Resilient Command and Control Infrastructure

The malware’s communication infrastructure demonstrates remarkable adaptability:

• Introduction of the IPAddrs parameter in newer versions allowing operation even when DNS-over-HTTPS (DoH) is restricted
• Early versions relied exclusively on DoH queries through Quad9 and Cloudflare, embedding DNS requests within HTTPS POST operations
• Current versions dynamically switch between DoH and direct IP connections based on network conditions

Three-Layer Encryption Architecture

BRICKSTORM’s most notable technical achievement is its three-layer traffic obfuscation system with nested TLS connections:

1. Outer Layer: Legitimate HTTPS sessions targeting serverless platforms like Cloudflare Workers and Heroku, protected by valid certificates
2. Middle Layer: Connection upgrades to WebSocket with secondary TLS providing static key authentication
3. Inner Layer: Implementation of the HashiCorp Yamux library to multiplex command and control activities, including tunneling operations and data exfiltration

This multi-layered approach ensures that even if external HTTPS traffic is intercepted, the primary control channel remains encrypted and undetectable through standard security monitoring.

Infrastructure Exposure and Detection Opportunities

Despite the sophistication, researchers have documented occasional infrastructure leaks during maintenance operations, revealing VPS addresses hosted on Vultr among other infrastructure elements.

Command and control servers utilize:

• Dynamic DNS services like “nip[.]io”
• Exploited vulnerabilities in certificate transparency systems
• Domains such as “ms-azure[.]azdatastore[.]work[.]ve” using Cloudflare substrate certificates
• Regular rotation of IP addresses and certificates to maintain operational security

Defensive Recommendations

NVISO security experts recommend implementing multi-layered defensive measures:

• Block known DoH providers in corporate environments
• Implement TLS inspection capable of detecting nested encryption sessions
• Deploy multi-factor authentication across critical systems
• Monitor for anomalous SMB and RDP protocol activities
• Watch for process launches from “CreatedUCEXplorer.exe”
• Maintain vigilance regarding suspicious IP address connections

Strategic Context

The operational patterns exhibited by UNC5221 align with the People’s Republic of China’s industrial espionage initiatives aimed at acquiring technological secrets. As this threat evolves, heightened attention to server environments, cloud infrastructure, and DNS monitoring systems remains essential.

Industry collaboration, threat intelligence sharing, and continuous security monitoring represent the most effective countermeasures against this sophisticated threat actor.