BRICKSTORM Backdoor

Cohesity REDLab has released updates to the threat library to detect new variants of the BRICKSTORM backdoor. Users should closely monitor ant-ransomware backup anomalies in Security Center. Threat Scan feature should also be used in tandem to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Analysis

BRICKSTORM is a stealthy, modular backdoor family that has been deployed against appliances, virtualization hosts, and other infrastructure that typically lack traditional EDR coverage. Once installed it exposes a remote file-management interface and can create encrypted tunnels to proxy or relay network connections which are capabilities attackers use to browse file systems, harvest credentials, and abuse RDP/SMB protocols for lateral movement. Its command-and-control is via DNS-over-HTTPS to blend C2 traffic with ordinary web traffic.

BRICKSTORM is used in long-running espionage campaigns attributed to the China-nexus cluster UNC5221 which is a campaign targeting U.S. legal, SaaS, technology and BPO victims. It has shown extremely long dwell times in hundreds of days, persistence via modified startup scripts and cloned VMs, and the use of downstream compromise like accessing customer environments through compromised service providers.

BRICKSTORM is concerning due to the combination of target selection and operational tradecraft. It relies on living-off-the-land techniques and tunneling rather than noisy payloads, and they design implants to avoid executing obvious command shells.

Summary

Cohesity’s Anti-Ransomware and Threat Detection feature lets you scan backups snapshots and secondary stored data for anomalous behavior, known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership