Brickstone Malware: The Hidden Threat in Pirated Software Stealing US Data
A stealthy and sophisticated malware campaign has been actively targeting organizations across the United States for over a year, successfully stealing sensitive data and credentials. Dubbed “Brickstone,” this backdoor malware highlights a critical and often overlooked vulnerability: the use of pirated or “cracked” software.
Security researchers have uncovered a widespread operation by a financially motivated threat actor that uses Trojanized versions of popular professional tools to gain a foothold inside corporate networks. This campaign serves as a stark reminder that the appeal of free software can come at an exceptionally high cost.
What is Brickstone Malware?
Brickstone is a sophisticated backdoor designed for stealth and persistence. Once installed on a victim’s system, it provides attackers with remote access, allowing them to execute commands, download additional malicious payloads, and exfiltrate valuable data. Its primary function is to serve as a quiet, long-term gateway into a compromised network.
Unlike loud and disruptive ransomware, Brickstone aims to remain undetected for as long as possible, silently siphoning off information while its operators decide how to best monetize their access.
How the Brickstone Infection Chain Works
The attack is deceptively simple and preys on common human behavior. Understanding the step-by-step process is key to preventing infection.
The Lure: Pirated Software: The infection begins when a user searches for and downloads pirated software from unofficial websites. Attackers specifically target high-demand professional tools, such as graphic design suites and video editing software, knowing that individuals or even companies may try to circumvent licensing fees.
The Trojan Horse: The Malicious Installer: The downloaded file appears to be a legitimate software installer. However, when the user runs the setup executable, it silently triggers a malicious loader in the background.
The Deployment: The Backdoor is Activated: This loader is responsible for decrypting and executing the main Brickstone malware payload. The malware then immediately works to secure its position on the infected device.
Establishing Persistence: To survive system reboots, Brickstone establishes persistence, often by creating a scheduled task. This ensures the malware runs automatically, maintaining the attacker’s access without requiring any further action from the user.
Command and Control (C2) Communication: Once active, the backdoor connects to a Command and Control server controlled by the attackers. What makes Brickstone particularly evasive is its use of legitimate cloud services, such as Dropbox, for C2 communications. By hiding its traffic within legitimate web services, the malware can often bypass traditional network security filters that look for connections to known malicious domains.
From this point, the attackers have control and can begin stealing credentials, deploying spyware, or moving laterally across the network to find more valuable targets.
Who is at Risk?
This campaign is run by a financially motivated threat actor, meaning their goal is profit, not espionage or political disruption. The primary targets identified so far have been organizations within the United States.
However, the targeting method is largely opportunistic. Any individual or organization whose employees download and install the infected software is at risk. This means a single employee’s decision to use a pirated tool from home or on a work device can compromise an entire corporate network.
How to Protect Your Organization from Brickstone and Similar Threats
Defending against threats like Brickstone requires a multi-layered security approach focused on both technology and user education.
- Prohibit Pirated Software: This is the most critical step. Implement and enforce a strict policy against the use of unlicensed or pirated software on all company devices. The cost savings are never worth the security risk.
- Restrict Installation Privileges: Users should not have administrative rights to install software on their workstations. All software installations should be managed and approved by the IT department through official channels.
- Employ Advanced Endpoint Protection: Use a modern Endpoint Detection and Response (EDR) solution. These tools are better equipped to detect malicious behaviors, such as the creation of suspicious scheduled tasks or unusual network traffic, rather than just relying on known malware signatures.
- Conduct Security Awareness Training: Regularly educate employees on the dangers of downloading software from untrusted sources. Explain how these “free” tools are often bait used by cybercriminals to deploy malware.
- Monitor Network Egress Traffic: Pay close attention to data flowing out of your network, especially to cloud storage services. Look for anomalous patterns or connections that don’t align with legitimate business activities.
The Brickstone malware campaign is a powerful illustration of how cybercriminals exploit simple temptations. By prioritizing strong software policies and educating users on safe online practices, organizations can significantly reduce their risk of falling victim to this and other hidden threats.
Source: https://www.bleepingcomputer.com/news/security/google-brickstone-malware-used-to-steal-us-orgs-data-for-over-a-year/
