The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with international partners, has released a joint advisory detailing a custom backdoor known as BRICKSTORM. This malware is actively used by Volt Typhoon, a state-sponsored hacking group linked to the People’s Republic of China. The advisory is a collaborative effort from cybersecurity authorities within the Five Eyes intelligence alliance, including agencies from the United States, United Kingdom, Australia, Canada, and New Zealand.

Volt Typhoon, also tracked under aliases such as Bronze Silhouette and VANGUARD PANDA, utilizes the BRICKSTORM malware to establish and maintain persistence on compromised network infrastructure. The group is known for targeting critical infrastructure sectors by leveraging living-off-the-land techniques and compromising network edge devices.

BRICKSTORM Malware Capabilities

The BRICKSTORM backdoor is a custom shell specifically developed for routers. According to the CISA Malware Analysis Report (MAR), the malware communicates with a remote command and control (C2) server to receive instructions and exfiltrate data. Its documented capabilities include the ability to upload and download files, execute arbitrary commands on the infected device, and configure itself as a SOCKS proxy. This proxy functionality allows the threat actor to route their malicious traffic through the compromised router, effectively concealing the origin of their activities.

International Advisory and Defensive Measures

The joint advisory provides network defenders with technical details and Indicators of Compromise (IoCs) to detect and mitigate the threat. The agencies have confirmed that Volt Typhoon uses compromised small office/home office (SOHO) network devices, including routers, firewalls, and VPNs, as part of its operational infrastructure. By controlling these devices, the group can blend its malicious traffic with legitimate network activity, making detection significantly more challenging. CISA and its partners urge organizations to actively hunt for malicious activity on their networks using the information provided in the report.

Source: https://securityaffairs.com/185346/intelligence/brickstorm-backdoor-exposed-cisa-warns-of-advanced-china-backed-intrusions.html