In today's cyber landscape, traditional defenses are no longer enough. Sophisticated threat actors are deploying silent, elusive malware that bypasses endpoint detection and response (EDR) tools and hides dormant in backups or embedded deep within critical infrastructure.

 

The following analysis is informed by recent threat intelligence derived from customer environments where Rubrik Zero Labs identified indicators of the highly elusive BRICKSTORM backdoor. It details the operational challenges posed by these advanced persistent threats (APTs) and demonstrates the necessity of leveraging immutable data infrastructure to achieve accurate threat identification and a verifiable recovery posture. 

 

 

When EDR Isn't Enough

 

Imagine a stealthy attacker breaching your perimeter, moving laterally, and embedding a backdoor directly into your core virtualization management — your vCenter server. This isn't theoretical; it's the reality of threats like BRICKSTORM, a sophisticated Go-based backdoor used by the reportedly China-nexus UNC5221 espionage group.
 

EDR Blind Spots: The Attacker's Advantage
 

The primary challenge is that traditional EDR systems often do not or cannot run on critical, hardened appliances like VMware vCenter Server Appliances (VCSA), firewalls, VPNs, and other Linux/BSD-based network devices. These systems are essential for core operations but become security "blind spots."
 

BRICKSTORM is specifically engineered to exploit this gap using the following tactics:
 

• Masquerading: It changes its filename to match a legitimate VCSA process (e.g., vami-httpd) and runs from a trusted directory, allowing it to execute undetected where EDR is absent or set to trust system binaries implicitly.
   

• Stealth: The malware uses SOCKS proxying and minimal network noise, generating network activity that blends structurally with normal VCSA traffic, further bypassing traditional network monitoring.
   

• Deep Persistence: It sits silently on your vCenter, providing the attacker with a persistent backdoor to move unnoticed through your network, compromising sensitive VMs and stealing credentials.
   

In essence, these APTs are designed to survive the live environment’s initial defenses. They embed themselves in management infrastructure, waiting patiently within the blind spots where conventional security tools cannot look.
 

Threat Hunting Beyond the Endpoint

 

Every day, Rubrik scans over 2.3 million snapshots, actively hunting for active and dormant threats—not only within active environments, but also within immutable backup data. By continuously analyzing the latest attack vectors and malware strains, Rubrik Zero Labs can uncover the subtle fingerprints of advanced persistent threats that may have been hiding for weeks or months.
 

Immutable Backups: Providing Visibility to Blind Spots
 

Secured backups cannot be altered, encrypted, or deleted by the malware, so the immutable data repository serves as a reliable, historical record of the system state. Integrating technical intelligence with this infrastructure provides visibility where EDR has limitations:
 

• Massive-Scale Hunting: This process involves systematically scanning millions of backup snapshots daily—a scale necessary for modern defense—to identify the digital fingerprints of persistent threats.
   

• Integrating Research Depth: Our research and intelligence efforts continuously analyze new APT toolsets, converting deep technical analysis into precise detection logic (e.g., custom YARA rules targeting the malware’s specific Go binary structure and embedded strings).
   

• Uncovering Blind Spots: This methodology can actively confirm a compromise within EDR-blind appliances, isolate the malicious code, and establish the definitive breach timeline. This process is fundamental to achieving an uncompromised recovery posture.
   

BRICKSTORM Discovery: A Case in Point
 

Once Rubrik Zero Labs identified the BRICKSTORM malware and linked it to the UNC5221 threat actor, our research was immediately fed into the Rubrik platform's threat hunting capabilities. When BRICKSTORM indicators (like specific file hashes, YARA signatures, or suspicious file paths on a vCenter server) were found in a customer's backups, customer data analysis allowed for:
 

• Early Detection: Catching threats missed by conventional EDR.
   

• Contextual Intelligence: Detailing the threat actor's modus operandi, including their initial perimeter breach and lateral movement tactics to vCenter.
   

• Actionable Guidance: Equipping customers with the precise steps for containment, threat eradication, and crucially, ensuring a clean recovery from their backups.
   

How it Works: From Edge to vCenter
 

Below is a high-level view of how such an attack unfolds, and where Rubrik provides the critical last line of defense:
 

 

 

Figure 1:  A high-level view of the BRICKSTORM attack chain

Resilience Mandate 

 

The detection of threats like BRICKSTORM within backup infrastructure underscores a critical finding: security resilience cannot be guaranteed solely at the endpoint. APTs actively target the visibility gaps in management appliances.
 

Therefore, the recovery mandate is clear:
 

1. Threat Confirmation: Use targeted IOC scanning (YARA signatures, specific file hashes—see Appendix) against historical snapshots to validate the threat and determine the precise moment of compromise.
    

2. Clean Recovery: The compromised appliance must not be restored. A new VCSA instance must be built from a trusted source, with the configuration selectively restored only from the latest known-clean snapshot.
    

3. Proactive Defense: Enhance logging and monitoring on all appliance blind spots, and enforce strict administrative controls (MFA, network segmentation) to prevent credential-based lateral movement.
    

This integration of active threat intelligence with immutable data defense represents a required evolution in cyber resiliency architecture.

 

 

Figure 2: Playbook for vCenter & Appliance Forensics

 

Your Data Should Enhance Your Resilience

 

Even when sophisticated, EDR-evading threats like BRICKSTORM infiltrate your environment, data stored as immutable backups can inform threat defense. Security practitioners should view this data as an additional opportunity for the detection of novel attack techniques. Viewed this way, backups act as much more than an insurance policy; they function as a critical source of threat intelligence and an indispensable layer in a robust defense-in-depth strategy.

 

Appendix

 

Indicators of Compromise (source: Google Threat Intelligence)

 

BRICKSTORM YARA Rules

 

1. G_APT_Backdoor_BRICKSTORM_3

 

rule G_APT_Backdoor_BRICKSTORM_3 {

meta:

author = "Google Threat Intelligence Group (GTIG)"

strings:

$str1 = { 48 8B 05 ?? ?? ?? ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 04 24 [0-5] E8 ?? ?? ?? ?? EB ?? }

$str2 = "regex" ascii wide nocase

$str3 = "mime" ascii wide nocase

$str4 = "decompress" ascii wide nocase

$str5 = "MIMEHeader" ascii wide nocase

$str6 = "ResolveReference" ascii wide nocase

$str7 = "115792089210356248762697446949407573529996
9552241357603424222590610685120443691157920892103562487626
97446949407573530086143415290314195533631308867097853951" ascii wide nocase

condition:

uint16(0) == 0x457F and all of them

}

1. G_Backdoor_BRICKSTORM_2

 

rule G_Backdoor_BRICKSTORM_2 {

meta:

author = "Google Threat Intelligence Group (GTIG)"

strings:

$obf_func = /[a-z]{20}\/[a-z]{20}\/[a-z]{20}\/[a-z]{20}.go/

$decr1 = { 0F B6 4C 04 ?? 0F B6 54 04 ?? 31 D1 88 4C 04 ?? 48 FF C0 [0-4] 48 83 F8 ?? 7C }

$decr2 = { 40 88 7C 34 34 48 FF C3 48 FF C6 48 39 D6 7D 18 0F B6 3B 48 39 CE 73 63 44 0F B6 04 30 44 31 C7 48 83 FE 04 72 DA }

$decr3 = { 0F B6 54 0C ?? 0F B6 5C 0C ?? 31 DA 88 14 08 48 FF C1 48 83 F9 ?? 7C E8 }

$str1 = "main.selfWatcher"

$str2 = "main.copyFile"

$str3 = "main.startNew"

$str4 = "WRITE_LOG=true"

$str5 = "WRITE_LOGWednesday"

$str6 = "vami-httpdvideo/webm"

$str7 = "/opt/vmware/sbin/"

$str8 = "/home/vsphere-ui/"

$str9 = "/opt/vmware/sbin/vami-http"

$str10 = "main.getVFromEnv"

condition:

uint32(0) == 0x464c457f and ((any of ($decr*) and $obf_func) or (any of ($decr*) and any of ($str*)) or 5 of ($str*)) and filesize < 10MB

}

1. G_APT_Backdoor_BRICKSTORM_1

 

rule G_APT_Backdoor_BRICKSTORM_1 {

meta:

author = "Google Threat Intelligence Group (GTIG)"

strings:

$ = "WRITE_LOGWednesday"

$ = "/home/vsphere-ui/"

$ = "WRITE_LOG=true"

$ = "dns rcode: %v"

$ = "dns query not specified or too small"

$ = "/dev/pts: bad file descriptor"

$ = "/libs/doh.Query"

$ = "/libs/doh.createDnsMessage"

$ = "/libs/doh.unpackDnsMessage"

$ = "/core/protocol/websocket.(*WebSocketNetConfig).Dial"

$ = "/core/protocol/websocket.(*connection).Read"

$ = "/core/protocol/websocket.(*connection).getReader"

$ = "/core/protocol/websocket.(*connection).Write"

$ = "/core/protocol/websocket.(*connection).Close"

$ = "/core/protocol/websocket.(*connection).LocalAddr"

$ = "/core/protocol/websocket.(*connection).RemoteAddr"

$ = "/core/protocol/websocket.(*connection).SetDeadline"

$ = "/core/protocol/websocket.(*connection).SetReadDeadline"

$ = "/core/protocol/websocket.(*connection).SetWriteDeadline"

$ = "/core/protocol.UnPackHeaderData"

$ = "/core/protocol.NewWebSocketClient"

$ = "/libs/func1.(*Client).BackgroundRun"

$ = "/libs/func1.CreateClient"

$ = "/libs/func1.NewService"

$ = "/libs/func1.(*Service).Get"

$ = "/libs/func1.(*Service).DoTask"

$ = "/libs/func1.(*Service).Put"

$ = "/core/extends/command.Command"

$ = "/core/extends/command.CommandNoContext"

$ = "/core/extends/command.ExecuteCmd"

$ = "/core/extends/command.RunShell"

$ = "/core/extends/socks.UnPackHeaderData"

$ = "/core/extends/socks.handleRelay"

$ = "/libs/fs.(*RemoteDriver).realPath"

$ = "/libs/fs.(*RemoteDriver).ChangeDir"

$ = "/libs/fs.(*RemoteDriver).Stat"

$ = "/libs/fs.(*SimplePerm).GetMode"

$ = "/libs/fs.(*SimplePerm).GetOwner"

$ = "/libs/fs.(*SimplePerm).GetGroup"

$ = "/libs/fs.(*RemoteDriver).ListDir"

$ = "/libs/fs.(*RemoteDriver).DeleteDir"

$ = "/libs/fs.(*RemoteDriver).DeleteFile"

$ = "/libs/fs.(*RemoteDriver).Rename"

$ = "/libs/fs.(*RemoteDriver).MakeDir"

$ = "/libs/fs.(*RemoteDriver).GetFile"

$ = "/libs/fs.(*RemoteDriver).PutFile"

$ = "/libs/fs.(*RemoteDriver).UpFile"

$ = "/libs/fs.(*RemoteDriver).MD5"

$ = "/libs/doh/doh.go"

$ = "/core/protocol/websocket/config.go"

$ = "/core/extends/command/command.go"

$ = "/libs/fs/driver_unix.go"

$ = "/libs/fs/perm_linux.go"

condition:

uint32(0) == 0x464c457f and 8 of them

}

 

1. G_APT_Backdoor_BRICKSTORM_2

 

rule G_APT_Backdoor_BRICKSTORM_2 {

meta:

author = "Google Threat Intelligence Group (GTIG)"

strings:

$str1 = { 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? C6 44 ?? ?? 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 0F 11 84 ?? ?? ?? ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 83 7C ?? ?? 00 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 7C ?? ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 47 08 83 3D ?? ?? ?? ?? 00 75 ?? 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 07 4? 89 BC ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 0F 57 C0 0F 11 84 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? ?? 4? 81 C4 ?? ?? ?? ?? C3 }

$str2 = { 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? 8B 84 ?? ?? ?? ?? ?? 4? 89 04 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 4C ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 85 C0 0F 84 ?? ?? ?? ?? 4? 8D 05 ?? ?? ?? ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 4? 8B 44 ?? ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 48 08 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 4? 8B 8C ?? ?? ?? ?? ?? 4? 89 08 84 00 4? 89 84 ?? ?? ?? ?? ?? 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 01 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 4? C7 84 ?? ?? ?? ?? ?? 00 00 00 00 90 E8 ?? ?? ?? ?? 4? 8B ?? ?4 D8 00 00 00 4? 81 C4 E0 00 00 00 C3 }

condition:

uint32be(0) == 0x7F454C46 and any of them

}

 

BRICKSTORM Hashes 

 

90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035,

2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df,

Aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878