Chinese APT VerdantBamboo Exploits Brickstorm Malware for Long-term Network Access

The Chinese espionage group UNC5221, also known as VerdantBamboo, has been using the Brickstorm backdoor and new malware variants Plenet and AgentPSD to maintain access to compromised Microsoft 365 environments. Investigations revealed that the group had infiltrated victim networks at least 18 months prior to detection, compromising managed services providers (MSPs) to facilitate their attacks. Brickstorm is described as an advanced malware implant, initially developed in Golang and later in Rust. The group has targeted various sectors, including legal services and technology companies, exploiting zero-day vulnerabilities in edge devices since at least 2023. The attackers employed sophisticated techniques to blend in with legitimate traffic, evading security measures. Following the initial breach, they re-entered the network and deployed additional malware, indicating a persistent threat. The ongoing investigation highlights the need for heightened vigilance against such advanced persistent threats.

Key Points: • UNC5221 (VerdantBamboo) has maintained access to networks for over 18 months using Brickstorm malware. • The group has exploited zero-day vulnerabilities and compromised MSPs to facilitate their attacks. • Brickstorm is a modular RAT that has evolved from Golang to Rust, showcasing advanced evasion techniques.