Security News > 2022 > September > Covert malware targets VMware shops for hypervisor-level espionage

Emerging covert malware families that target VMware environments could allow criminals to gain persistent administrative access to the hypervisor, transfer files, and execute arbitrary commands between virtual machines, according to VMware and Mandiant, which discovered the software nasty earlier this year.

Prior to this discovery, both VMware and Mandiant say they hadn't seen persistent malware with these capabilities deployed on VMware hypervisors or guest systems in the wild.

Mandiant first came across the malware during an intrusion investigation for a joint customer with VMware.

The security shop named the new malware VirtualPITA, VirtualPIE, and VirtualGATE. VirtualPITA and VirtualPIE. The VMware ESXi server backdoors, VirtualPITA and VirtualPIE, both have unique charactuerists.

Finally, compromised Windows guest VMs that were hosted by the infected hypervisor had their own unique malware that Mandiant named VirtualGATE. It's written in C, and includes a dropper and a payload. As Mandiant explained: "The memory only dropper deobfuscates a second stage DLL payload that uses VMware's virtual machine communication interface sockets to run commands on a guest virtual machine from a hypervisor host, or between guest virtual machines on the same host."

"VMware worked closely with Mandiant to understand this specialized malware so we could quickly arm our customers with the guidance they need to secure their vSphere environments and mitigate," said Manish Gaur, head of product security at VMware, in a statement provided to The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/29/vmware_malware_mandiant/