Threat actors that had previously gained administrative privileges on the compromised VMware ESXi servers of several organizations were observed leveraging a unique technique to install two novel, persistent backdoors.
After discovering attacker commands being sourced from a legitimate VMWare Tools process on a Windows virtual machine (hosted on a VMware ESXi hypervisor), researchers analyzed the hypervisor’s boot profile. In April, they found attackers leveraging a new tactic that used malicious vSphere Installation Bundles (VIBs) in order to install two new backdoors on the ESXi hypervisors. VIBs, or collections of files that can facilitate virtual system management, can be used in package format by administrators to deploy updates or maintain systems. But researchers observed attackers using malicious VIB packages as a persistence technique to maintain access across ESXi hypervisors.
“It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware,” said Mandiant researchers in a Thursday analysis. “Mandiant has no evidence of a 0-day vulnerability being used to gain initial access or deploy the malicious VIBs at the time of writing this post.”
VIBs are made up of XML descriptor files, a payload (a .vgz archive) and a signature file used to verify the host acceptance level of a VIB. The latter involves four levels that are set for hosts, image profiles and individual VIBs, which can be changed manually by ESXi administrative accounts using the –force flag option. The malicious VIBs uncovered by researchers were labeled under the default acceptance level, “PartnerSupported,” which indicates that the VIBs are published by a trusted VMware partner. Upon further investigation, however, researchers found that the signature files of the malicious VIBs were empty. Instead, an attacker had modified the XML descriptor file to change the VIB to the “PartnerSupported” level, even though the files only met the requirements of the basic “CommunitySupported” level, which is for VIBs created by third parties that are not reviewed or signed by VMware or its trusted partners.
“While the acceptance-level field was modified in the Descriptor XML by the attacker, the ESXi system still did not allow for a falsified VIB file to be installed below the minimal set acceptance level. To circumvent this, the attacker abused the --force flag to install malicious CommunitySupported VIBs,” said researchers.
Attackers also leveraged two backdoors in the attack, including a malware family that researchers called VIRTUALPITA that supports arbitrary command execution, file upload and download, capabilities to start and stop vmsyslogd, and the ability to listen on and log the activity of a Virtual Machine Communication Interface. The malware has several tactics used to cover its tracks, including using VMware service names to disguise its activity as a legitimate service. The other malware discovered by researchers is called VIRTUALPIE, a backdoor written in Python that supports arbitrary code execution, as well as file transfer and reverse shell capabilities. Researchers found samples for VIRTUALPIE that were targeted for VMware ESXi and for Linux.
Researchers found that attackers had executed several commands to guest machines via these backdoors that primarily focused on the enumeration and compression of files across the system, as well as the targeting of virtualized systems for credential harvesting (using MiniDump to dump process memory and search for cleartext credentials). Researchers suspect the activity, which they track as UNC3886, is cyber espionage related.
Charles Carmakal, CTO with Mandiant Consulting said that the malware was deployed on less than ten organizations; however, researchers anticipate that more organizations will discover compromised VMware infrastructure. VMware and Mandiant both outlined guidance for VMware customers to secure their vSphere environments and apply additional mitigations.
“While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities,” they said.