Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.
A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the ‘-force’ flag to install the malicious VIBs.
Using these tricks, the threat actor was able to install the VirtualPita and VirtualPie malware on the compromised ESXi machine.
“VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server,” Mandiant says in a report today.
VirtualPie is Python-based and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server.
On Windows guest virtual machines under the infected hypervisor, the researchers found another malware, VirtualGate, which includes a memory-only dropper that deobfusccates a second-stage DLL payload on the VM. This attack requires the threat actor to have admin-level privileges to the hypervisor.