Campaigns
Warp Panda’s Operation BrickStorm

Warp Panda’s Operation BrickStorm

BrickStormWarpPandaVMwareESXiChinaNexusCrossBorderEspionage
This operation utilizes a compiled Go binary called BrickStorm to seize control of VMware vCenter servers, which are targeted after attackers gain initial entry by exploiting vulnerabilities in edge devices.

Indicators of Compromise

No domains found for this campaign

APT Groups1

UTA0178CN

Summary of Actor:UTA0178 is a sophisticated ransomware group known for targeting high-value assets and demanding significant ransoms. They have a reputation for quickly adapting their tactics and technology to bypass security measures. Their operations demonstrate a high level of coordination and technical acumen. General Features:UTA0178 is adept at utilizing multiple attack vectors, including phishing, software vulnerabilities, and insider threats. They frequently employ double extortion techniques, threatening to release stolen data if the ransom isn't paid. Their malware is often customized to evade detection. Related Other Groups: Group A,Group B,Group C Indicators of Attack (IoA): Unusual network traffic Unauthorized access attempts Unexpected system shutdowns Communication with known malicious IP addresses Recent Activities and Trends: Latest Campaigns : UTA0178 recently conducted a significant campaign against financial institutions, leveraging CVE-2021-34527 to gain initial access and deploy their ransomware. They have also been linked to attacks on healthcare organizations during the COVID-19 pandemic, exploiting vulnerabilities in remote work infrastructure. Emerging Trends : UTA0178 has shown a growing interest in targeting supply chain networks, rather than individual companies directly. They've also begun to incorporate more sophisticated evasion techniques, such as advanced obfuscation methods in their malware code to avoid detection by traditional antivirus solutions.

Red Dev 61UNC5221

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1003 - OS Credential Dumping


ID

Name

Analytic ID

Analytic Description

DET0234

Credential Dumping via Sensitive Memory and Registry Access Correlation

AN0648

Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.

AN0649

Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb.

AN0650

Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.


T1021 - Remote Services


ID

Name

Analytic ID

Analytic Description

DET0269

Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity

AN0750

Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.

AN0751

SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.

AN0752

Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files.

AN0753

Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.

AN0754

vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host.


T1036 - Masquerading

ID

Name

Analytic ID

Analytic Description

DET0127

Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.


T1037 - Boot or Logon Initialization Scripts


ID

Name

Analytic ID

Analytic Description

DET0112

Boot or Logon Initialization Scripts Detection Strategy

AN0311

Monitoring modification and execution of user or system logon scripts such as in registry Run keys or startup folders.

AN0312

Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence.

AN0313

Monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence.

AN0314

Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot.

AN0315

Detection of changes to device startup-config files that include boot scripts or scheduled execution routines.


T1041 - Exfiltration Over C2 Channel


ID

Name

Analytic ID

Analytic Description

DET0348

Detection Strategy for Exfiltration Over C2 Channel

AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.


T1071 - Application Layer Protocol


ID

Name

Analytic ID

Analytic Description

DET0444

Detection of Command and Control Over Application Layer Protocols

AN1225

Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.

AN1226

Detects suspicious curl, wget, or custom socket traffic that leverages DNS, HTTPS, or IRC-style protocols with unbalanced traffic or beacon-like intervals.

AN1227

Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.

AN1228

Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.


T1078 - Valid Accounts


ID

Name

Analytic ID

Analytic Description

DET0560

Detection of Valid Account Abuse Across Platforms

AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.


T1083 - File and Directory Discovery


ID

Name

Analytic ID

Analytic Description

DET0370

Recursive Enumeration of Files and Directories Across Privilege Contexts

AN1040

Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.

AN1041

Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.

AN1042

Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.

AN1043

Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users.

AN1044

Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.


T1090 - Proxy


ID

Name

Analytic ID

Analytic Description

DET0445

Detection of Proxy Infrastructure Setup and Traffic Bridging

AN1229

Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.

AN1230

User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.

AN1231

AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.

AN1232

Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems.

AN1233

Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.


T1105 - Ingress Tool Transfer


ID

Name

Analytic ID

Analytic Description

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.


T1505 - Server Software Component


ID

Name

Analytic ID

Analytic Description

DET0547

Detection Strategy for T1505 - Server Software Component

AN1507

Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections.

AN1508

Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells.

AN1509

Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets.

AN1510

Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services.


T1548 - Abuse Elevation Control Mechanism


ID

Name

Analytic ID

Analytic Description

DET0345

Detection Strategy for Abuse Elevation Control Mechanism (T1548)

AN0975

Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.

AN0976

Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.

AN0977

Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

AN0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

AN0979

Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.


T1574 - Hijack Execution Flow


ID

Name

Analytic ID

Analytic Description

DET0218

Detection Strategy for Hijack Execution Flow across OS platforms.

AN0609

Unusual modifications to service binary paths, registry keys, or DLL load paths resulting in alternate execution flow. Defender observes registry key modifications, suspicious file writes into system directories, and processes loading libraries from abnormal paths.

AN0610

Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables.

AN0611

Abuse of DYLD_INSERT_LIBRARIES or hijacking framework paths for malicious libraries. Defender observes processes invoking abnormal dylibs, modified plist files, or persistence entries pointing to altered binaries.


T1531 - Account Access Removal


ID

Name

Analytic ID

Analytic Description

DET0120

Account Access Removal via Multi-Platform Audit Correlation

AN0334

Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users.

AN0335

Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts.

AN0336

Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.

AN0337

Invocation of esxcli 'system account remove' from vCLI, SSH, or vSphere API with anomalous user access or outside maintenance windows.

AN0338

O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.

AN0339

Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.


T1080 - Taint Shared Content


ID

Name

Analytic ID

Analytic Description

DET0471

Detection of Tainted Content Written to Shared Storage

AN1298

Detects adversary tampering of shared directories via file drops (e.g., malicious LNK, EXE, VBS) followed by user execution or suspicious network activity.

AN1299

Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.

AN1300

Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).

AN1301

Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions.

AN1302

Detects embedded macros or scripts added to shared documents or use of external references to execute code.



T1140 - Deobfuscate/Decode Files or Information


ID

Name

Analytic ID

Analytic Description

DET0275

Detect Adversary Deobfuscation or Decoding of Files and Payloads

AN0767

An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution.

AN0768

The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script.

AN0769

The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript.


T1106 - Native API


ID

Name

Analytic ID

Analytic Description

DET0529

Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls

AN1465

Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.

AN1466

Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation.

AN1467

Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection.


T1547 - Boot or Logon Autostart Execution

ID

Name

Analytic ID

Analytic Description

DET0274

Boot or Logon Autostart Execution Detection Strategy

AN0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

AN0765

Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot

AN0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon


T1573 - Encrypted Channel


ID

Name

Analytic ID

Analytic Description

DET0273

Detection Strategy for Encrypted Channel across OS Platforms

AN0759

Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.

AN0760

Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.

AN0761

Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.

AN0762

VMware management daemons or guest processes initiating encrypted connections outside expected vCenter, update servers, or internal comms. Defender identifies hostd or vpxa initiating outbound TLS flows with uncommon destinations.

AN0763

Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.


T1059 - Command and Scripting Interpreter


ID

Name

Analytic ID

Analytic Description

DET0516

Behavioral Detection of Command and Scripting Interpreter Abuse

AN1428

Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.

AN1429

Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.

AN1430

Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.

AN1431

Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.

AN1432

Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.


T1027 - Obfuscated Files or Information


ID

Name

Analytic ID

Analytic Description

DET0378

Behavioral Detection of Obfuscated Files or Information

AN1064

Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.

AN1065

Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.

AN1066

Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.

AN1067

Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.

AN1068

Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).


T1095 - Non-Application Layer Protocol


ID

Name

Analytic ID

Analytic Description

DET0457

Detection of Non-Application Layer Protocols for C2

AN1254

Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns.

AN1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy.

AN1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

AN1257

VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries.

AN1258

Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays).

Observed Countries2

CA (802)
US (549)