Researchers recently identified a new form of novel malware that has designed specifically to target ESXi hypervisors. In addition to providing persistent access to a host, the malware has features built in to facilitate additional activity. The Mandiant researchers suggest that VMware customers should investigate their environments and apply defensive security techniques to keep their hypervisors secure.
Researchers identify new novel malware that targets ESXi
Researchers have discovered a new malware ecosystem that targets ESXi hypervisors. This ecosystem includes two backdoors and a memory-only dropper that target Windows and Linux virtual machines.
The attackers used a ‘–force’ flag to install the malicious VIBs. These packages allow administrators to maintain access to ESXi hypervisors, execute custom binaries, and create startup tasks.
The ecosystem also allows the threat actor to transfer files and modify logging services. While the malware may not have developed by a recognized hacking group, the techniques used by the attackers are likely to picked up by other hackers.
The malicious vSphere Installation Bundles have installed on ESXi hypervisors by a China-based threat actor. These bundles include two new backdoors that allow the attacker to maintain administrative access to the ESXi hypervisor.
ESXi hosts allow attackers to maintain persistent access to the hypervisor
Mandiant cybersecurity researchers recently identified a new malware ecosystem targeting VMware ESXi hypervisors. According to the report, this new family of specialized malware uses specialized techniques to infiltrate virtualization solutions.
The malware family, which has not assigned a CVE number, targets Linux and Windows guest machines. It is also capable of arbitrary command execution and file download and upload.
The malware written in Python and disguises itself as a legitimate service. It consists of a 64-bit passive backdoor with a reverse shell capability. It supports file download and transfer and designed to evade vSphere EDR detection.
The malware’s obfuscation methods rarely seen, and its anti-analysis capabilities are rare, according to the report. It used in conjunction with a sophisticated campaign, allowing the threat actor to survive under the hypervisor.
ESXi system does not allow for falsified VIB file to installed below the minimum set acceptance level
When using ESXi to manage VMware virtual systems, users may want to take a close look at the system’s acceptance level. Generally, an ESXi system will not allow for the installation of a falsified VIB file below the minimum set acceptance level. This is because an ESXi system designed to enforce a security policy that prohibits running code that not signed by VMware.
One way to determine the acceptance level is to run a mandiant test. This test will show you the highest level of acceptance for a given ESXi host.
While the mandiant test will show you the best level for a given ESXi host, it will not tell you whether it’s the right level for you. To determine your acceptance level, you can run several ESXCLI commands.
ESXi backdoors have features built in to them to conduct additional activity
Earlier this year, Mandiant researchers uncovered two new malware families targeting VMware ESXi hypervisors. These malicious vSphere Installation Bundles (VIBs) install backdoors on ESXi hypervisors, and facilitate the installation of custom binaries, startup tasks, and firewall rules. These specialized malware packages allow attackers to maintain persistent access to VMware ESXi hosts.
These backdoors allow for file transfer, file upload, and arbitrary command execution. Some variants also listen for commands on the Virtual Machine Communication Interface or on a hardcoded port number.
The Mandiant report also mentions the presence of a never-before-seen technique that used to avoid detection by EDR. By editing a signature file, the attacker made the VBI appear to created by a trusted entity. Then, the bash shell triggered. The resulting python script called to target a particular guest machine.
VMware advises customers to audit their environments and apply defensive security techniques
There are two new malware families that are targeting VMware ESXi hypervisors. One family called VIRTUALPIE and the other called VIRTUALGATE. They allow attackers to perform arbitrary commands on guest machines.
Both novel malware families require that an attacker have full administrative privileges on the ESXi hypervisor. This can do through any number of ways. These attacks likely caused by operational security weaknesses on the victim organizations.
The first malware family, dubbed VIRTUALPIE, allows threat actors to execute arbitrary commands on the target guest machine. This accomplished through a python script that runs a bash shell. The script then specifies a specific target VM.
The second malware family, dubbed VIRTUALGATE, used for transferring files between ESXi hypervisors and guest machines. It is also possible for the attacker to tamper with the logging services.