Experts uncovered novel Malware persistence within VMware ESXi Hypervisors

September 30, 2022  By Pierluigi Paganini


Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors.

Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux to perform the following actions:

  1. Send commands to the hypervisor that will be routed to the guest VM for execution
  2. Transfer files between the ESXi hypervisor and guest machines running beneath it
  3. Tamper with logging services on the hypervisor
  4. Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.

The highly targeted and evasive nature of this attack, lead the experts into believe that the attack was carried out by for cyberespionage purposed by a China linked actor tracked as UNC3886. 

In the attack investigated by Mandiant, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

“This malware ecosystem was initially detected during an intrusion investigation when Mandiant identified attacker commands sourced from the legitimate VMware Tools process, vmtoolsd.exe, on a Windows virtual machine hosted on a VMware ESXi hypervisor.” reads the report published by Mandiant. “Mandiant analyzed the boot profile for the ESXi hypervisors and identified a never-before-seen technique in which a threat actor leveraged malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors on the ESXi hypervisors. We call these backdoors VIRTUALPITA and VIRTUALPIE.”

VMware ESXi Hypervisors

The experts pointed out that the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware. The experts are not aware of zero-day exploits being used to gain initial access or deploy the malicious VIBs.

VIBs are composed of:

  • An XML descriptor file
  • A “VIB payload” (.vgz archive)
  • A signature file – A digital signature used to verify the host acceptance level of a VIB

The XML Descriptor File is a config which contains references to the following:

  • The payload to be installed
  • VIB metadata, such as the name and install date
  • The signature file that belongs to the VIB

Mandiant researchers discovered that attackers were able to modify the acceptance level in the XML descriptor of the VBI from ‘community’ to ‘partner’ to make it appear to have been created by a trusted entity.

“While the acceptance-level field was modified in the Descriptor XML by the attacker, the ESXi system still did not allow for a falsified VIB file to be installed below the minimal set acceptance level. To circumvent this, the attacker abused the –force flag to install malicious CommunitySupported VIBs.” continues the report.

Attackers used this technique to install the VirtualPita and VirtualPie backdoor on the compromised ESXi machine

VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server, the malware supports arbitrary command execution. VIRTUALPIE is a lightweight Python backdoor that supports arbitrary command line execution, file transfer capabilities, and reverse shell capabilities. 

Researchers also discovered a unique malware sample, tracked as VirtualGate, which includes a dropper and a payload. The malicious code was hosted by the infected hypervisors.

“While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMWare’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities.” concludes the report. “Mandiant recommends organizations using ESXi and the VMware infrastructure suite follow the hardening steps outlined in this blog post to minimize the attack surface of ESXi hosts.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware ESXi)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Hacker groups support protestors in Iran using Telegram, Signal and Darkweb

 Several hacker groups are assisting protestors in Iran using Telegram, Signal and other tools to bypass government censorship. Check...