Cybersecurity researchers have found New Malware Families Targeting VMware ESXi Hypervisors, which can allow hackers to seize control of infected systems.
VMware may be compromised by the novel malware ecosystem. With this virus, attackers can maintain their access to the hypervisor and execute arbitrary commands on Microsoft servers.
A recent hyperjacking attack, according to the cybersecurity vendor, is accomplished by sneaking two implants called VIRTUALPITA and VIRTUALPIE onto the hypervisors with malicious VM installation bundles (VIBs).
The ESXi is the hypervisor that runs the server–the admin needs to have admin access before they can deploy malware, as mentioned in two-part report by Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore.
There is no evidence that a zero-day vulnerability was exploited. However, the use of trojanized VIBs signifies a new level of sophistication.
With access to the environment and some sophisticated work, the hacker was able to deploy malware on ESXi servers. They did this with VMware credentials that were stolen from a third-party source.This malware is meant to target strategic institutions, not small organizations. Large threat actors and APT groups use this malware to remain persistent and covert, according to VMware.
VIRTUALPITA is a robot that can execute commands and upload files. It also has a backdoor for getting into the system, controlling it, and transferring files. VIRTUALPIE is a Python backdoor with command line execution, file transfer, and reverse shell features.
The researchers discovered an encoded payload that can execute commands on VIRTUALGATE, a C-based utility program capable of using VMware’s virtual machine communication interface(VMCI) to operate within guest virtual machines.
As of now, we know that the malware was deployed in fewer than ten organizations but it is likely to spread if the other companies start inspecting their VMware infrastructure.
The attack exploited virtualization software, meaning that this new attack surface will be fiercely targeted in the future.
An unknown threat cluster, codenamed UNC3886, is likely to be motivated by spying. Many of the intrusions have been highly targeted, and originate from an unknown region of China. There is uncertainty about the motivation for these attacks, but it is assessed with low confidence that UNC3886 has a China nexus.