The Cybersecurity and Infrastructure Security Agency (CISA) has issued a significant update to its advisory on Brickstorm malware, highlighting the discovery of a new .NET-compiled variant. This update provides crucial expanded detection guidance, including YARA rules and Snort signatures, to assist organizations in identifying and mitigating the threat posed by this destructive malware.

Brickstorm, previously described as malware designed to render targeted systems unbootable and destroy data, now presents an evolved challenge with its new iteration. The initial reporting detailed the malware’s capabilities to wipe systems, making them inoperable. CISA’s ongoing analysis underscores the persistent threat this type of malware poses to various sectors.

Understanding the New .NET-Compiled Variant

The most notable aspect of CISA’s updated report is the identification of a .NET-compiled version of Brickstorm. This variant differs from its predecessors in its compilation language and introduces new mechanisms for achieving persistence on compromised systems. Analysts discovered that this .NET variant establishes persistence through a scheduled task and by modifying registry run keys, ensuring its execution even after system restarts.

The observed scheduled task for persistence is named “Updater”. This task is configured to execute a malicious file, typically located within specific user profile directories. Additionally, the malware modifies registry entries to ensure its automatic launch, a common tactic for maintaining access and control.

Expanded Detection Guidance and Indicators of Compromise

CISA’s updated advisory is rich with actionable intelligence for defenders. To aid in detection, CISA has provided a range of indicators of compromise (IOCs) and specific guidance:

• YARA Rules: New YARA rules have been released to help security teams identify files associated with both the original and the new .NET-compiled Brickstorm variants based on their characteristic strings and binary patterns.
• Snort Signatures: Snort signatures are now available, enabling network intrusion detection systems to flag network traffic patterns or payload characteristics indicative of Brickstorm activity.
• File Hashes: Specific SHA256 hashes for known Brickstorm samples, including the new .NET variant, are provided, allowing for direct file identification.
• Registry Key Modifications: Organizations are advised to monitor for modifications to registry run keys, particularly those associated with the malware’s persistence mechanisms.
• Scheduled Tasks: Detection efforts should focus on identifying the “Updater” scheduled task or similar newly created tasks that execute suspicious files from unexpected locations.
• File Paths: The malware has been observed to drop and execute files in directories such as C:\Users\Public\, C:\Users\Default\, C:\Users\User\, and C:\ProgramData\. Monitoring these paths for unusual executables is critical.
• Command-Line Arguments: CISA advises monitoring for specific command-line arguments used by the malware during its execution.

These expanded detection capabilities provide a more comprehensive toolkit for security analysts to proactively search for and respond to Brickstorm infections across their environments.

Mitigating the Threat

To mitigate the risk posed by Brickstorm malware and similar destructive threats, CISA reiterates fundamental cybersecurity best practices. These include implementing robust endpoint detection and response (EDR) solutions, regularly backing up critical data, enforcing strong access controls, and maintaining up-to-date patching policies for all software and operating systems. Organizations should also conduct regular employee training on phishing and social engineering tactics, as these are common initial vectors for malware delivery.

The continuous evolution of threats like Brickstorm necessitates a proactive and adaptive security posture. CISA’s updated report serves as a critical resource, providing the necessary intelligence and tools for organizations to enhance their defenses against increasingly sophisticated and destructive cyberattacks.