New Malware Families Found Targeting VMware ESXi Hypervisors

Cyber Security

Products You May Like

Threat actors have been found deploying never-before-seen post-compromise implants in VMware’s virtualization software to seize control of infected systems and evade detection.

Google’s Mandiant threat intelligence division referred to it as a “novel malware ecosystem” that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the hypervisor as well as execute arbitrary commands.

The hyperjacking attacks, per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles (VIBs) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors.

CyberSecurity

“It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware,” Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaustive two-part report.

There is no evidence that a zero-day vulnerability was exploited to gain access to ESXi servers. That said, the use of trojanized VIBs, a software package format used to facilitate software distribution and virtual machine management, points to a new level of sophistication.

VMware ESXi Hypervisors

“This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time,” VMware disclosed.

While VIRTUALPITA comes with capabilities to execute commands as well as carry out file upload and download, VIRTUALPIE is a Python backdoor with support for command line execution, file transfer, and reverse shell features.

CyberSecurity

Also uncovered is a malware sample called VIRTUALGATE in Windows guest virtual machines, which is a C-based utility program that executes an embedded payload capable of using VMware’s virtual machine communication interface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host.

Mandiant also warned that the campaign’s techniques to get around traditional security controls by exploiting virtualization software represent a new attack surface that’s likely to be picked up by other hacker groups.

The attacks have been attributed to an uncategorized, emerging threat cluster codenamed UNC3886, whose motivation is likely to be espionage-driven considering the highly targeted nature of the intrusions. It further assessed with low confidence that UNC3886 has a China-nexus.

Products You May Like

Articles You May Like

Intel working with bankers to present board with strategic options
Meta Considers New Mixed Reality Glasses as Headsets Alternative: Report
Instagram Developing New Feature Which Enables Real-Time Sharing of Currently Playing Spotify Tracks
Black Myth: Wukong Said to Be Delayed on Xbox Due to Exclusivity Deal Between Sony, Game Science
OnePlus 13 Launch Timeline Leaked; Might Arrive in China as Early as October

Leave a Reply

Your email address will not be published. Required fields are marked *