According to reports, after taking over systems, attackers use previously unseen implants in VMware virtualization software to take control of infected systems and evade detection.
Google’s Mandiant threat intelligence department describes it as a “new malware ecosystem” that affects VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to gain permanent access to the hypervisor and execute arbitrary commands. to be
According to the cybersecurity vendor, the Hyperjacking attacks involved using vSphere malicious installation packages (VIBs) to secretly infiltrate two implants, called VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisor.
“It should be noted that this is not an external remote code execution vulnerability,” Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufil Ahmed and Jonathan Lepore said in a comprehensive two-part report. An attacker needs administrator-level privileges to the ESXi hypervisor before he can deploy the malware.
There is no evidence of exploiting a zero-day vulnerability to access ESXi servers. However, the use of trojanized VIBs, a software package format used to facilitate software distribution and virtual machine management, introduces a new level of complexity.
“This malware is different in that it supports persistence and stealth, which is compatible with the goals of larger threat actors and APT groups that target strategic entities to remain undetected for some time,” VMware revealed.
While VIRTUALPITA has capabilities to run commands as well as perform file uploads and downloads, VIRTUALPIE is a Python backdoor that supports command line execution, file transfers, and reverse shell features.
Also discovered on Windows guest virtual machines is a malware sample called VIRTUALGATE, which is a C-based application that runs an embedded payload capable of using VMware Virtual Machine Communication Interface (VMCI) sockets to execute commands on a virtual machine. The guest is from a hypervisor.
Mandiant also warned that the campaign’s techniques for circumventing traditional security controls by exploiting virtualization software represent a new attack surface that is likely to be picked up by other hacker groups.
The attacks have been attributed to an unknown and emerging threat cluster coded UNC3886, which is likely motivated by espionage given the highly targeted nature of the intrusions. It also assessed with low confidence that UNC3886 has a Chinese affinity.
