Hackers Possibly From China Using New Method to Deploy Persistent ESXi Backdoors

Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

The new technique, spotted by Mandiant in April, involves using malicious vSphere Installation Bundles (VIBs). A VIB is a collection of files packaged into a single archive to facilitate distribution — they are similar to a tarball or ZIP archive.

VIB packages can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine is rebooted. Administrators typically use these packages to maintain systems and deploy updates, but it appears that malicious actors have found a way to abuse them.

The attackers observed by Mandiant have used malicious VIBs to install two backdoors on ESXi hypervisors. These pieces of malware, named VirtualPita and VirtualPie by Mandiant, allow arbitrary command execution, file transfers, and the ability to initiate reverse shells.

According to Mandiant, this new ‘malware ecosystem’ affects VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is tracked as VirtualGate.

The attackers are capable of maintaining persistent admin access to a hypervisor even across restarts, send commands that are routed to the guest VM for execution, transfer files between the hypervisor and guest machines, and execute arbitrary commands from one guest VM to another guest VM on the same hypervisor. In addition, the hackers can also tamper with logging services on the hypervisor.

The company pointed out that the attack does not appear to involve exploitation of a known or zero-day vulnerability in VMware products for initial access or to deploy the malicious VIBs. In addition, the attacker needs to obtain admin-level privileges to the ESXi hypervisor before they can deploy the malware.

The cybersecurity firm has been tracking this activity as UNC3886 and believes a group of cyberspies may be behind it considering that less than 10 victims have been identified so far.

“Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage related. Additionally, we assess with low confidence that UNC3886 has a China-nexus,” Mandiant said.

VMware has been informed about these attacks and the company has released guidance for securing vSphere environments against such threats.

“While there is no VMware vulnerability involved, we are highlighting the need for strong Operational Security practices that include secure credential management and network security, in addition to following VMware’s hardening guidelines for virtual infrastructure,” said Manish Gaur, head of product security at VMware.

Mandiant believes other threat actors will also develop similar capabilities in the future. In addition, the company anticipates that more victims will come to light once organizations start checking their systems for the indicators of compromise (IoC) it has made available.

“As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers. This increases the difficulty for organizations to detect malicious attacker activity,” said Mandiant Consulting CTO Charles Carmakal.

Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps

Related: New Cross-Platform ‘Luna’ Ransomware Only Offered to Russian Affiliates