| This Malware Analysis Report (MAR) was originally published on December 4 to share indicators of compromise (IOCs) and detection signatures for BRICKSTORM malware. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) updated this MAR to include analysis and detection signatures for a new BRICKSTORM variant that uses .NET Native Ahead-of-Time (AOT) compilation—making it more versatile and harder to detect. |
| Like previous BRICKSTORM samples, the variant has initiation and secure command and control capabilities that use multiple layers of encryption to hide its communications, but unlike other samples, it does not have built-in self-monitoring capabilities to enable persistence. |
| This update delves into the variant’s functionality and offers new YARA rules to support detection. CISA urges all organizations who use VMware vSphere, especially those in the Government Services and Facilities and Information Technology sectors, to review the updated MAR and implement mitigation measures. |