A novel Python malware is backdooring VMware ESXi servers using vulnerabilities in ESXi’s OpenSLP service. The backdoor exploits the CVE-2019-5544 and CVE-2020-3992 vulnerabilities and was discovered by Juniper Networks researchers and is capable of exploiting Linux and UNIX systems as well.
The researchers couldn’t identify the attack vector of the backdoor due to limited log retention on the infected ESXi server, but they did find evidence indicating that the malware was built especially for attacks against ESXi.
The backdoor works by adding seven lines to the /etc/rc.local.d/local.sh file that stays persistent across reboots and is run whenever a virtual machine boots.
One of these added lines launches a Python script in a directory that stores disk images and logs among other things. The script used in the attack can be used with little to no modification on Linux or similar UNIX systems but contains several indications that made the researchers believe that it was designed specifically to target ESXi servers.
It launches a web server that takes encrypted POST requests from the threat actors remotely. These requests in turn carry a base-64 encoded command payload which in turn launches a reverse shell on the targeted device providing remote access to the attackers.
It further modifies another file called endpoints.conf to change the ESXi reverse HTTP proxy configuration that allows remote access with the malicious web server. Since the endpoints.conf file is also persistent, it ensures that attackers don’t lose access to the web server across reboots.
Current mitigations include checking the aforementioned files for any newly added lines and restoring them to their default states. Additionally, network admins are recommended to restrict incoming network traffic to trusted hosts only.