Alert! A new malware attacks VMware ESXi hypervisors. This has been detected by Mandiant researchers, who detail that cybercriminals carry out the following steps:
- Send commands to the hypervisor that are redirected to the guest virtual machine for execution
- File transfer between the ESXi hypervisor and running guest machines
- Managing the registry service in the hypervisor
- Execute arbitrary commands and redirect them from one guest machine to another running on the same hypervisor
The targeted and evasive nature of this attack leads experts to believe that the China-linked UNC3886 group carried it out for cyber espionage purposes. In the attack investigated by Mandiant, attackers used malicious vSphere Installation Packages (VIBs) to install two backdoors on tracked ESXi hypervisors such as VIRTUALPITA and VIRTUALPIE.
VMware ESXi hypervisors
According to experts, the cybercriminal needs administrator-level privileges for the ESXi hypervisor in order to deploy malware. It is worth noting that there are currently no known exploits used to gain initial access or deploy malicious VIB files.
VIBs are sets of files designed to manage virtual systems. They can be used to create startup tasks, custom firewall rules, or deploy custom binaries after rebooting the ESXi machine. VIBs consist of the following components:
- Descriptor XML file (describes the content of the VIB)
- VIB payload (.vgz file)
- Signature File – A digital signature used to verify the level of acceptance of VIB files by the host
- An XML file is a configuration that contains links to: payload to install
- VIB metadata such as name and installation date
- VIB signature file
New Malware Attacks VMware ESXi Hypervisors
Mandiant researchers found that attackers could change the Acceptance Level parameter in the XML descriptor from “community” to “partner” to give the impression that it was created by a trusted person.
However, ESXi still did not allow the vib file to be installed, so hackers used the “–force” flag to disable the commit check and overwrite the history. This allowed the installation of community-maintained malicious VIB files.
VIRTUALPITA and VIRTUALPIE
Cybercriminals used this technique to install VIRTUALPITA and VIRTUALPIE backdoors on a compromised ESXi machine:
- VIRTUALPITE it is a 64-bit passive backdoor that creates a listener on a hard-coded port number on a VMware ESXi server. The malware supports the execution of arbitrary commands
- VIRTUAL PIE is a Python backdoor that supports the execution of arbitrary commands, the ability to transfer files, and the ability to create a reverse shell.
The researchers also found a unique piece of malware called VirtualGate that includes a dropper and payload. The malicious code was hosted on infected hypervisors. Mandiant researchers now hope that other cybercriminals will use the information from the study to create similar opportunities.
George is Digismak’s reported cum editor with 13 years of experience in Journalism