Threat actors have discovered a new technique for installing persistent backdoors on VMware ESXi hypervisors in order to control vCenter servers and virtual machines for Windows and Linux while evading detection.
This approach employs malicious vSphere Installation Bundles (VIBs), through which the attacker installed two backdoors known as VirtualPita and VirtualPie on the bare-metal hypervisor.
VIB packages can be used to generate startup tasks, custom firewall rules, or to distribute custom binaries when an ESXi machine is rebooted.
Researchers stated that this new malware attacks VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is known as VirtualGate (includes a dropper and a payload).
According to researchers, the attackers can retain permanent admin access to a hypervisor even after restarts, transmit commands to the guest VM for execution, move files between the hypervisor and the guest VMs, and execute arbitrary commands from one guest VM to another on the same hypervisor. Furthermore, hackers can interfere with the hypervisor’s logging services.
It was also emphasised that neither the initial access nor the distribution of the malicious VIBs appear to entail the exploitation of a known or zero-day vulnerability in VMware products.
The malware is attributed to UNC3886, and the motivation is suspected to be cyber espionage with a probable connection to China.
“Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage-related. Additionally, we assess with low confidence that UNC3886 has a China-nexus,” concludes Mandiant.
“It is critical for organizations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time,” said Mandiant Consulting CTO
He also added, despite the fact that more companies are likely to find compromised infrastructure in their surroundings, less than ten firms are aware of this malware threat. Due to the lack of EDR support, the majority of organizations lack an effective mechanism to search for and identify threats on VMware hypervisors.
These attacks have been reported to VMware, and the firm has published guidance for protecting vSphere environments from similar threats.