Experts detailed a previously undetected VMware ESXi backdoor

A new Python backdoor is targeting VMware ESXi servers, allowing attackers to take over compromised systems.

Juniper Networks researchers spotted a previously undocumented Python backdoor targeting VMware ESXi servers. The researchers discovered the backdoor in October 2022, experts pointed out the implant is notable for its simplicity, persistence and capabilities.

The experts were not able to determine the initial compromise due to limited log retention on the compromised server, they speculate attackers may have exploited known issues (i.e. CVE-2019-5544 and CVE-2020-3992) in ESXi’s OpenSLP service.

The backdoor maintain persistence by modifying some systems files such as /etc/rc.local.d/local.sh , which is executed at startup.

The following line of code launches a Python script that starts a web server. The webserver accepts password-protected POST requests from the attackers, each request can include a base-64 encoded command payload or launch a reverse shell on the host.

“While the Python script used in this attack is cross-platform and can be used with little or no modification on Linux or other UNIX-like systems, there are several indications that this attack was designed specifically to target ESXi.” reads the analysis published by Juniper. “The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host.”

Below is the list of files installed or modified in this attack:

• /etc/rc.local.d/local.sh: stored in RAM, but changes are backed up and restored on reboot
• /bin/hostd-probe.sh: changes are stored in RAM and reapplied after a reboot
• /store/packages/vmtools.py: saved to the persistent disk stores used for VM disk images, logs, etc.
• /etc/vmware/rhttpproxy/endpoints.conf: changes are stored in RAM and reapplied after a reboot

In order to allow access by remote attackers, they changed the configuration of the ESXi reverse HTTP proxy. The mappings from pathnames to network ports are stored in the configuration file, /etc/vmware/rhttpproxy/endpoints.conf.

The changes to the above file are persistent because it is one of the system files that are backed up and restored automatically at the reboot.

In order to determine if your installation was compromised the researchers recommend review the vmtools.py and local.sh files.

“The hashed password in vmtools.py has been redacted because it might uniquely identify the compromised server, so that file’s hash should not be used as an IOC. The modifications to hostd-probe.sh and endpoints.conf are shown in their entirety above.” concludes the report.

Experts also recommend applying all vendor patches as soon as possible, restricting incoming network connections to trusted hosts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, vmware)

[adrotate banner=”5″]

[adrotate banner=”13″]