Researchers at the now Google-owned Mandiant have discovered novel malware sampled called VirtualGate, VirtualPita and VirtualPie complete with a dropper and payload. The malware uses malicious vSphere Installation Bundles to install backdoors on the bare-metal hypervisor.
This new method can establish persistence on VMware ESXi hypervisor and in turn control Center servers and virtual machines for Windows and Linux while avoiding detection at the same time.
The malware was first discovered during an intrusion investigation earlier this year when researchers discovered a threat actor using these malicious vSphere Installation Bundles to deliver the VirtualPie and VirtualPita malware. The threat actor, tracked as UNC3886 is also suspected to have ties with China.
Overall, the malware ecosystem allows a threat actor to do the following:
- Maintain persistent admin access to the affected hypervisor.
- Send commands to the hypervisor that are in turn routed to the guest virtual machine for execution.
- Transfer files between the host ESXi hypervisor and the guest machines.
- Tamper with logging services on the hypervisor.
- Execute arbitrary commands from one guest virtual machine to another running on the same hypervisor.
Infiltrating virtual machines by deceiving trust
The way the ecosystem works is by abusing a VIB package as mentioned above. Generally, a VIB package includes the following files:
- An archive referred to as a ‘payload’ of files needs to be installed on the target machine.
- An XML descriptor file including VIB metadata, the payload to be installed and other important information.
- A signature file used to verify the host acceptance level of a VIB.
These VIBs can be created by VMware, approved partners or the community. The threat actor modified this acceptance level in the XML descriptor file from ‘community’ to ‘partner’ to trick unsuspecting users into believing the file is approved by a verified VMware partner.
However, the ESXi system doesn’t accept a modified level of trust alone and that’s why the attacker also used the –force flag to install the malicious VIBs.
The backdoors themselves also impersonate legitimate VMware service names and ports allowing execution or arbitrary commands, file uploads and downloads and control over the logging mechanism.
The two backdoors have their own individual characteristics as well. A Linux variant for VirtualPita was found persisting itself as an init.d startup service on Linux-based vCenter systems.
VirtualPie on the other hand is a Python-based backdoor that spawns a daemonised IPv6 listener on a hardcoded port on the ESXi server and supports command line execution, file transfer and the ability to set up a reverse shell.
Last but not least, Windows guest machines were infected by VirtualGate which includes a memory-only dropper that in turn hides the second-stage DLL payload to be deployed on the virtual machine.
The attack does require the hacker to have admin-level privileges on the target hypervisor, which might mitigate the risk a little bit. Mandiant has provided technical details about the malware family and has laid out mitigations on how to reduce the risk of attack on ESXi hosts.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.