Experts uncovered novel Malware persistence within VMware ESXi Hypervisors

Pierluigi Paganini September 30, 2022

Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors.

Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux to perform the following actions:

  1. Send commands to the hypervisor that will be routed to the guest VM for execution
  2. Transfer files between the ESXi hypervisor and guest machines running beneath it
  3. Tamper with logging services on the hypervisor
  4. Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.

The highly targeted and evasive nature of this attack leads the experts into believing that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886. 

In the attack investigated by Mandiant, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

“This malware ecosystem was initially detected during an intrusion investigation when Mandiant identified attacker commands sourced from the legitimate VMware Tools process, vmtoolsd.exe, on a Windows virtual machine hosted on a VMware ESXi hypervisor.” reads the report published by Mandiant. “Mandiant analyzed the boot profile for the ESXi hypervisors and identified a never-before-seen technique in which a threat actor leveraged malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors on the ESXi hypervisors. We call these backdoors VIRTUALPITA and VIRTUALPIE.”

VMware ESXi Hypervisors

The experts pointed out that the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware. The experts are not aware of zero-day exploits being used to gain initial access or deploy the malicious VIBs.

VIBs are composed of:

  • An XML descriptor file
  • A “VIB payload” (.vgz archive)
  • A signature file – A digital signature used to verify the host acceptance level of a VIB

The XML Descriptor File is a config which contains references to the following:

  • The payload to be installed
  • VIB metadata, such as the name and install date
  • The signature file that belongs to the VIB

Mandiant researchers discovered that attackers were able to modify the acceptance level in the XML descriptor of the VBI from ‘community’ to ‘partner’ to make it appear to have been created by a trusted entity.

“While the acceptance-level field was modified in the Descriptor XML by the attacker, the ESXi system still did not allow for a falsified VIB file to be installed below the minimal set acceptance level. To circumvent this, the attacker abused the –force flag to install malicious CommunitySupported VIBs.” continues the report.

Attackers used this technique to install the VirtualPita and VirtualPie backdoor on the compromised ESXi machine

VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server, the malware supports arbitrary command execution. VIRTUALPIE is a lightweight Python backdoor that supports arbitrary command line execution, file transfer capabilities, and reverse shell capabilities. 

Researchers also discovered a unique malware sample, tracked as VirtualGate, which includes a dropper and a payload. The malicious code was hosted by the infected hypervisors.

“While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMWare’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities.” concludes the report. “Mandiant recommends organizations using ESXi and the VMware infrastructure suite follow the hardening steps outlined in this blog post to minimize the attack surface of ESXi hosts.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware ESXi Hypervisors)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment