Sophisticated new tools are reshaping the threat landscape, from state-sponsored backdoors to specialized services designed to bypass modern security defenses. We uncover the technical details behind BRICKSTORM, a stealthy implant targeting VMware environments, and Shanya, a new “Packer-as-a-Service” actively fueling ransomware attacks. Dive into this report to understand their evasion tactics and grab the critical Indicators of Compromise (IOCs) needed to defend your infrastructure.

BRICKSTORM Malware (Warp Panda / UNC5221)

Overview BRICKSTORM is a sophisticated, Go-based backdoor recently attributed to Chinese state-sponsored threat actors, specifically tracked as Warp Panda (CrowdStrike) and UNC5221 (Mandiant). This malware is designed for long-term espionage and persistence, primarily targeting VMware vSphere environments (vCenter, ESXi) and Windows systems within the government, legal, and technology sectors in North America.

Tactics, Techniques, and Procedures (TTPs)

Initial Access & Delivery

• Edge Exploitation: Actors often gain initial access by exploiting vulnerabilities in internet-facing edge devices, such as Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) or VMware vCenter itself (CVE-2021-22005, CVE-2023-34048, CVE-2024-38812).
• Credential Abuse: Following initial exploitation, attackers utilize valid credentials or hijack the privileged vpxuser account to move laterally into the virtualization infrastructure.

Persistence & Evasion

• Self-Monitoring Watchdog: BRICKSTORM includes a unique “self-watching” function. It constantly checks for specific environment variables; if the process is terminated or disrupted, it automatically reinstalls and restarts itself from a backup location.
• Masquerading: The malware disguises itself as legitimate VMware processes, such as updatemgr or vami-http, to blend in with normal system activity.
• Timestomping: Operators manipulate file timestamps (timestomping) and clear logs to hinder forensic timeline analysis.

Command and Control (C2)

• Nested Encryption: Communications are hidden behind multiple layers of encryption, including HTTPS, WebSockets, and nested TLS.
• DNS-over-HTTPS (DoH): The malware resolves C2 domains using DoH to bypass local DNS monitoring.
• Cloud Infrastructure: It leverages public cloud services (like Cloudflare Workers and Heroku) to proxy traffic, making C2 traffic look like legitimate web requests.

Virtualization-Specific Capabilities BRICKSTORM is often deployed alongside two specific helper implants:

1. Junction: A Go-based implant for ESXi servers. It listens on port 8090 (masquerading as the legitimate vvold service) and proxies network traffic.
2. GuestConduit: An implant installed inside guest VMs that listens on port 5555. It uses Virtual Sockets (VSOCK) to tunnel traffic directly between the guest VM and the hypervisor, bypassing traditional network firewalls.

Indicators of Compromise (IOCs)

• Malware Names: BRICKSTORM, Junction, GuestConduit, BRICKSTEAL (a Java Servlet filter injected into Tomcat).
• Suspicious Ports:
  • TCP 8090 (ESXi host, unauthorized listener)
  • TCP 5555 (Guest VM, VSOCK listener)
• Targeted Processes for Masquerading: updatemgr, vami-http.
• Vulnerability Targets: Unpatched Ivanti Connect Secure/Policy Secure and VMware vCenter instances.

Shanya Packer-as-a-Service

Overview Shanya is a newly identified “Packer-as-a-Service” operation that is rapidly becoming a standard tool for ransomware groups and other cybercriminals. It serves as a replacement for older services like HeartCrypt. Its primary function is to wrap malicious payloads (such as ransomware or EDR killers) in layers of obfuscation to evade detection by Endpoint Detection and Response (EDR) agents and antivirus software.

Tactics, Techniques, and Procedures (TTPs)

Loader & Obfuscation

• Loader Stubs: Each customer receives a unique loader stub with a custom encryption algorithm, making signature-based detection difficult.
• API Hashing: Instead of calling Windows APIs directly (which security tools monitor), Shanya resolves them dynamically using a custom hashing algorithm. It parses the Process Environment Block (PEB) to find the location of loaded modules and functions without alerting the OS.

Anti-Analysis & Defense Evasion

• EDR Unhooking: The packer checks if critical functions (like RtlDeleteFunctionTable) are “hooked” or monitored by an EDR. If detected, it calculates the memory offset to skip the EDR’s monitoring code (trampoline) and execute the original, unmonitored instruction.
• Anti-Debug Crashes: Shanya triggers functions with invalid contexts to intentionally crash the application if it detects it is running inside a debugger or sandbox.

DLL Side-Loading

• A common deployment technique for Shanya-packed malware involves DLL Side-loading.
• Legitimate Host: The attackers drop a clean, digitally signed Microsoft executable, most commonly consent.exe (related to User Account Control).
• Malicious DLL: In the same folder, they place a Shanya-packed malicious DLL named msimg32.dll. When consent.exe runs, it automatically loads this malicious DLL instead of the system version.

Indicators of Compromise (IOCs)

• File Relationships: Presence of consent.exe in a non-standard directory (e.g., %TEMP%, %APPDATA%, or C:\ProgramData\) accompanied by msimg32.dll.
• Memory Artifacts: Duplicate instances of system DLLs (like shell32.dll) loaded in memory for a single process.
• Behavioral: A process repeatedly attempting to read the PEB (Process Environment Block) or crashing immediately when analyzed in a sandbox environment.