Deep Dive: Unmasking VerdantBamboo and the BRICKSTORM Malware Campaign
In a sophisticated display of operational discipline, a Chinese threat actor—tracked by Volexity as VerdantBamboo (also known as WARP PANDA or UNC5221)—has been identified leveraging a modular toolkit to compromise edge appliances and Managed Service Provider (MSP) infrastructure. At the heart of this campaign is BRICKSTORM, a highly flexible Remote Access Trojan (RAT) originally authored in Golang and later transitioned to Rust to enhance performance and evade detection.
BRICKSTORM utilizes a wssoft library architecture, allowing the attackers to deploy “pluggable” tasks. This modularity enables various functionalities, including interactive shell command execution, a Socks5 proxy for lateral movement, and a lightweight web server for remote file listing.
Incident Origin and Evasion Tactics
The intrusion was first identified following the observation of anomalous network telemetry originating from a Linux-based virtual appliance. Rather than communicating with its intended destination (Egnyte), the appliance initiated outbound connections to attacker-controlled domains routed through Cloudflare. To mask its command-and-control (C2) traffic, the actor utilized DNS over HTTPS (DoH) by making TLS connections to Google’s public DNS, effectively bypassing traditional DNS monitoring.
Forensic analysis of the compromised Storage Sync system revealed that the actor successfully deployed the BRICKSTORM binary to /usr/sbin. The initial foothold was achieved by exploiting a misconfigured sudo permission for the egnyteservice account. This specific misconfiguration allowed the low-privileged service account to execute tee with root privileges, providing the attackers with the ability to write malicious files to protected system directories and establish persistence via cron jobs.
Expanding the Breach: MSP Compromise and Persistence
The scope of the compromise extended beyond a single customer. Volexity discovered FreeBSD-compatible variants of BRICKSTORM running on a pfSense firewall belonging to the victim’s Managed Service Provider (MSP). The implant was masquerading as a legitimate process in /usr/local/libexec/ipsec and used cron to ensure it survived system reboots.
This breach of the MSP appears to be a primary vector for the larger campaign. By gaining root-level access to critical MSP infrastructure, VerdantBamboo achieved a level of “supply-chain” access that allowed them to remain undetected for at least 18 months. They leveraged BRICKSTORM’s proxying capabilities alongside stolen credentials to access the victim’s Microsoft 365 environment. Because the malicious traffic originated from the victim’s own SSL VPN IP addresses, the attackers successfully bypassed Microsoft Entra (Azure AD) Conditional Access policies.
The Emergence of PLENET and AGENTPSD
During the investigation, Volexity uncovered two additional, previously undocumented malware families: PLENET and AGENTPSD.
- PLENET: A cross-platform backdoor written in .NET Core. Critically, it was compiled using Native AOT (Ahead-of-Time) compilation. This technical choice significantly complicates reverse engineering, as the runtime and metadata are embedded directly into the native binary, leaving fewer traditional artifacts for automated analysis tools. PLENET supports WebSockets for C2 communication, interactive shells, and remote command execution.
- AGENTPSD: A fallback mechanism consisting of a Python-based reverse shell packaged with PyInstaller. This was likely deployed to maintain access if the primary PLENET or BRICKSTORM implants were neutralized.
Technical Indicator: BRICKSTORM Sample
| Attribute | Value |
|---|---|
| Filename | egnyte_host_monitor_client |
| Size | 6.4MB |
| File Type | ELF Executable |
| MD5 | 98ee964edeb5a988c3bba8ea1e57fe0e |
| SHA256 | ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a |
Technical Indicator: PLENET/Implant Sample
| Attribute | Value |
|---|---|
| Filename | ovs-dbctl |
| Size | 2.5MB |
| File Type | ELF Executable |
| MD5 | 95dc2289427ed29b8b996d0e3d1b78cb |
| SHA256 | eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e |
Post-Remediation and Conclusion
The threat actor demonstrated remarkable resilience. Following initial remediation efforts, VerdantBamboo regained access by using stolen administrative credentials to log into an internet-exposed firewall web interface. They subsequently enabled a web-based SSL VPN to pivot deeper into the network, eventually deploying PLENET onto a Synology NAS.
The campaign highlights a growing trend of targeting “unmanaged” edge devices—firewalls, NAS units, and virtual appliances—that often lack the robust Endpoint Detection and Response (EDR) coverage found on standard workstations and servers. By the time Volexity utilized Censys to fingerprint the C2 infrastructure, the actor’s servers went silent, likely a tactical retreat in response to public disclosure.
Defensive Recommendations:
- Audit Edge Configurations: Regularly review
sudopermissions and service account privileges on all appliances. - Harden Administrative Interfaces: Never expose firewall or appliance management interfaces directly to the public internet. Enforce phishing-resistant MFA.
- Zero Trust for VPNs: Do not assume traffic originating from a known VPN IP is “safe.” Implement strict device posture checks and identity verification.
- MSP Oversight: Coordinate closely with MSPs to ensure their security posture meets your organization’s risk appetite.