Rewterz Threat Alert – APT28 Utilize PowerPoint Files To Distribute Graphite Malware – Active IOCs
September 29, 2022Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
September 30, 2022Rewterz Threat Alert – APT28 Utilize PowerPoint Files To Distribute Graphite Malware – Active IOCs
September 29, 2022Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
September 30, 2022Severity
High
Analysis Summary
Threat actors have discovered a new technique for installing persistent backdoors on VMware ESXi hypervisors in order to control vCenter servers and virtual machines for Windows and Linux while evading detection.
This approach employs malicious vSphere Installation Bundles (VIBs), through which the attacker installed two backdoors known as VirtualPita and VirtualPie on the bare-metal hypervisor.
VIB packages can be used to generate startup tasks, custom firewall rules, or to distribute custom binaries when an ESXi machine is rebooted.
Researchers stated that this new malware attacks VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is known as VirtualGate (includes a dropper and a payload).
According to researchers, the attackers can retain permanent admin access to a hypervisor even after restarts, transmit commands to the guest VM for execution, move files between the hypervisor and the guest VMs, and execute arbitrary commands from one guest VM to another on the same hypervisor. Furthermore, hackers can interfere with the hypervisor’s logging services.
It was also emphasised that neither the initial access nor the distribution of the malicious VIBs appear to entail the exploitation of a known or zero-day vulnerability in VMware products.
The malware is attributed to UNC3886, and the motivation is suspected to be cyber espionage with a probable connection to China.
“Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage-related. Additionally, we assess with low confidence that UNC3886 has a China-nexus,” concludes Mandiant.
“It is critical for organizations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time,” said Mandiant Consulting CTO
He also added, despite the fact that more companies are likely to find compromised infrastructure in their surroundings, less than ten firms are aware of this malware threat. Due to the lack of EDR support, the majority of organizations lack an effective mechanism to search for and identify threats on VMware hypervisors.
These attacks have been reported to VMware, and the firm has published guidance for protecting vSphere environments from similar threats.
Impact
- Cyber Espionage
Remediation
- Follow the VMware’s published guidance for protecting vSphere environments from similar threats.
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
- Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls