Investigating Novel Malware Persistence Within ESXi Hypervisors

February 10, 2023

Researchers recently identified a new form of novel malware that has designed specifically to target ESXi hypervisors. In addition to providing persistent access to a host, the malware has features built in to facilitate additional activity. The Mandiant researchers suggest that VMware customers should investigate their environments and apply defensive security techniques to keep their hypervisors secure.

Researchers identify new novel malware that targets ESXi

Researchers have discovered a new malware ecosystem that targets ESXi hypervisors. This ecosystem includes two backdoors and a memory-only dropper that target Windows and Linux virtual machines.

The attackers used a ‘–force’ flag to install the malicious VIBs. These packages allow administrators to maintain access to ESXi hypervisors, execute custom binaries, and create startup tasks.

The ecosystem also allows the threat actor to transfer files and modify logging services. While the malware may not have developed by a recognized hacking group, the techniques used by the attackers are likely to picked up by other hackers.

The malicious vSphere Installation Bundles have installed on ESXi hypervisors by a China-based threat actor. These bundles include two new backdoors that allow the attacker to maintain administrative access to the ESXi hypervisor.

ESXi hosts allow attackers to maintain persistent access to the hypervisor

Mandiant cybersecurity researchers recently identified a new malware ecosystem targeting VMware ESXi hypervisors. According to the report, this new family of specialized malware uses specialized techniques to infiltrate virtualization solutions.

The malware family, which has not assigned a CVE number, targets Linux and Windows guest machines. It is also capable of arbitrary command execution and file download and upload.

The malware written in Python and disguises itself as a legitimate service. It consists of a 64-bit passive backdoor with a reverse shell capability. It supports file download and transfer and designed to evade vSphere EDR detection.

The malware’s obfuscation methods rarely seen, and its anti-analysis capabilities are rare, according to the report. It used in conjunction with a sophisticated campaign, allowing the threat actor to survive under the hypervisor.

ESXi system does not allow for falsified VIB file to installed below the minimum set acceptance level

When using ESXi to manage VMware virtual systems, users may want to take a close look at the system’s acceptance level. Generally, an ESXi system will not allow for the installation of a falsified VIB file below the minimum set acceptance level. This is because an ESXi system designed to enforce a security policy that prohibits running code that not signed by VMware.

One way to determine the acceptance level is to run a mandiant test. This test will show you the highest level of acceptance for a given ESXi host.

While the mandiant test will show you the best level for a given ESXi host, it will not tell you whether it’s the right level for you. To determine your acceptance level, you can run several ESXCLI commands.

ESXi backdoors have features built in to them to conduct additional activity

Earlier this year, Mandiant researchers uncovered two new malware families targeting VMware ESXi hypervisors. These malicious vSphere Installation Bundles (VIBs) install backdoors on ESXi hypervisors, and facilitate the installation of custom binaries, startup tasks, and firewall rules. These specialized malware packages allow attackers to maintain persistent access to VMware ESXi hosts.

These backdoors allow for file transfer, file upload, and arbitrary command execution. Some variants also listen for commands on the Virtual Machine Communication Interface or on a hardcoded port number.

The Mandiant report also mentions the presence of a never-before-seen technique that used to avoid detection by EDR. By editing a signature file, the attacker made the VBI appear to created by a trusted entity. Then, the bash shell triggered. The resulting python script called to target a particular guest machine.

VMware advises customers to audit their environments and apply defensive security techniques

There are two new malware families that are targeting VMware ESXi hypervisors. One family called VIRTUALPIE and the other called VIRTUALGATE. They allow attackers to perform arbitrary commands on guest machines.

Both novel malware families require that an attacker have full administrative privileges on the ESXi hypervisor. This can do through any number of ways. These attacks likely caused by operational security weaknesses on the victim organizations.

The first malware family, dubbed VIRTUALPIE, allows threat actors to execute arbitrary commands on the target guest machine. This accomplished through a python script that runs a bash shell. The script then specifies a specific target VM.

The second malware family, dubbed VIRTUALGATE, used for transferring files between ESXi hypervisors and guest machines. It is also possible for the attacker to tamper with the logging services.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


A Guide to Cybersecurity in a Virtual Office

A Guide to Cybersecurity in a Virtual Office

Explore the comprehensive guide to cybersecurity in a virtual office, covering essential strategies, best practices, and tools to safeguard your digital assets. Learn how to protect sensitive data, mitigate risks, and ensure the utmost security in today's remote work...

GnuTLS Follows OpenSS

GnuTLS Follows OpenSS

GnuTLS library adheres to the OpenSS (Open Source Security Suite) standard, a significant departure from the former GNU policy. Emacs becomes more secure by adhering to a more robust standard for cryptographic libraries. It also helps avoid confusion when working with...

Zero-day vulnerability in Fortinet FortiOS

Zero-day vulnerability in Fortinet FortiOS

Recently, cybercriminals and nation-states have been exploiting a zero-day vulnerability in Fortinet FortiOS' operating system to launch targeted cyberattacks against government entities. The flaw, CVE-2022-40684, allows attackers to bypass authentication by sending...

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us