Security News > 2022 > September > New malware backdoors VMware ESXi servers to hijack virtual machines
Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.
A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the '-force' flag to install the malicious VIBs.
Using these tricks, the threat actor was able to install the VirtualPita and VirtualPie malware on the compromised ESXi machine.
"VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server," Mandiant says in a report today.
VirtualPie is Python-based and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server.
On Windows guest virtual machines under the infected hypervisor, the researchers found another malware, VirtualGate, which includes a memory-only dropper that deobfusccates a second-stage DLL payload on the VM. This attack requires the threat actor to have admin-level privileges to the hypervisor.
News URL
Related news
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers (source)
- Police detains Smokeloader malware customers, seizes servers (source)