Security News > 2022 > September > New malware backdoors VMware ESXi servers to hijack virtual machines
Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.
A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the '-force' flag to install the malicious VIBs.
Using these tricks, the threat actor was able to install the VirtualPita and VirtualPie malware on the compromised ESXi machine.
"VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server," Mandiant says in a report today.
VirtualPie is Python-based and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server.
On Windows guest virtual machines under the infected hypervisor, the researchers found another malware, VirtualGate, which includes a memory-only dropper that deobfusccates a second-stage DLL payload on the VM. This attack requires the threat actor to have admin-level privileges to the hypervisor.
News URL
Related news
- Chilean hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- Researchers sinkhole PlugX malware server with 2.5 million unique IPs (source)
- Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers (source)
- Iranian hackers pose as journalists to push backdoor malware (source)