Full Report
NVISO discovered new variants of the BRICKSTORM backdoor, initially designed for Linux, on Windows systems
Analysis Summary
# Threat Actor: UNC5221 (China-Nexus Cluster)
## Attribution & Identity
* **Attribution:** China-nexus cluster.
* **Known Aliases and Associated Groups:** UNC5221. Initially believed to exclusively target Linux vCenter servers.
## Activity Summary
* **Historical Activities/Campaigns:** UNC5221 has been actively conducting espionage against European organizations since at least 2022.
* **Recent Findings:** Researchers discovered new Windows-based samples of the BRICKSTORM backdoor. Previously, the actor was known for using BRICKSTORM primarily against Linux systems (specifically vCenter servers).
* **Objective:** Cyber espionage.
## Tactics, Techniques & Procedures
* **Initial Access/Persistence:** Exploitation of systems using the BRICKSTORM backdoor.
* **Execution/Defense Evasion:** The Windows BRICKSTORM samples are written in Go.
* **Lateral Movement:** Capabilities include network tunneling, aiding in lateral movement.
* **Specific TTPs Mentioned:**
* File management capabilities (via Windows samples).
* Network tunneling.
* *Note: The analyzed Windows samples reportedly lack direct command execution capabilities, differentiating them slightly from previously analyzed Linux samples.*
## Targeting
* **Sectors:** European industries (general).
* **Geography:** European organizations.
* **Victims:** Various European businesses.
## Tools & Infrastructure
* **Malware families used:** BRICKSTORM (Backdoor).
* **Variants noted:** Windows executables (written in Go).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided text excerpt, other than the capabilities of the malware itself.
## Implications
This actor represents a persistent, state-sponsored threat utilizing cross-platform capabilities (Linux and Windows) for long-term espionage operations within European infrastructure. The deployment of a tool traditionally associated with Linux environments onto Windows systems suggests an adaptive approach to maintaining access within diverse enterprise environments.
## Mitigations
* Monitor for the presence and execution of BRICKSTORM samples on both Linux and Windows systems.
* Implement capabilities to detect network tunneling activities indicative of covert command and control.
* Focus on securing vulnerable services (like vCenter, if historically targeted) and general endpoint protection against Go-compiled executables.