Covert malware targets VMware shops for hypervisor-level espionage

Emerging covert malware can target VMware environments to allow criminals to gain persistent administrative access to hypervisors, transfer files, and execute arbitrary commands on virtual machines, according to VMware and Mandiant, which discovered such a software nasty in the wild earlier this year.

Mandiant, the now-Google-owned threat intel team, attributed the infections to an uncategorized group it calls UNC3886 and says it suspects the snoops' motivation to be espionage. Mandiant also asserts "with low confidence" that the gang has ties to China.

In research published today, Mandiant noted that, to develop and deploy this spyware, its mastermind would need a fairly deep level of understanding of VMware's ESXi operating system as well as admin-level privileges to a victim's ESXi hypervisor installation.

This means we're not talking about a new remote code execution vulnerability, and it's not an especially easy intrusion to pull off, but would be doable by nation-state actors.

The good news is that (so far) the security researchers are aware of fewer "than ten organizations" that have been compromised by the malware, and there's no evidence of a zero-day vulnerability being used to gain access or deploy the malware.

However, "we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities," Mandiant admitted, and recommended organizations using ESXi and VMware infrastructure follow its suggested hardening steps as well as VMware's guidance.

"This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time," the virtualization giant noted in its advisory.

'Persistent and covert'

Prior to this discovery, both VMware and Mandiant say they hadn't seen persistent malware with these capabilities deployed on VMware hypervisor hosts or guest systems in the wild.

Mandiant first came across the malware during an intrusion investigation for a joint customer with VMware. The threat hunters identified attacker commands coming from the legitimate VMware Tools process on a Windows VM hosted on a VMware ESXi hypervisor, we're told.

VMware ESXi servers don't generally support endpoint detection and response products. That makes it easier for spies and other miscreants to hang out on these systems without being detected, enabling them to snoop through files covertly and steal data.  

According to Mandiant, while analyzing the boot profile for the ESXi hypervisors, its researchers discovered a "never-before-seen technique" that used malicious vSphere Installation Bundles ("VIBs") to install multiple backdoors.

VMware VIBs are used by administrators to update and maintain systems. In this case, however, the attacker used VIB packages with falsified acceptance levels to maintain access across ESXi hypervisors and deploy malware. 

The security shop named the new malware VirtualPITA (ESXi and Linux), VirtualPIE (ESXi), and VirtualGATE (Windows). 

VirtualPITA and VirtualPIE

The VMware ESXi server backdoors, VirtualPITA and VirtualPIE, both have unique charactuerists. VirtualPITA is a 64-bit backdoor that uses VMware service names and ports to disguise itself as a legitimate service. It allows the attacker to execute arbitrary commands, upload and download files, and start and stop the host's syslog service, vmsyslogd.

"Variants of this malware were found to listen on a Virtual Machine Communication Interface (VMCI) and log this activity to the file sysclog," Mandiant wrote.

Meanwhile, VirtualPIE is written in Python and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server. Its capabilities include arbitrary command line execution, file transfer, and reverse shell scripting. It also uses RC4 to encrypt communications.

Listening in on Linux, Windows VMs

Mandiant also discovered two other VirtualPita samples listening on TCP port 7475 on Linux-based vCenter systems disguised as legitimate binaries. And finally, compromised Windows guest VMs that were hosted by the infected hypervisor had their own unique malware that Mandiant named VirtualGATE. It's written in C, and includes a dropper and a payload. 

As Mandiant explained: "The memory only dropper deobfuscates a second stage DLL payload that uses VMware's virtual machine communication interface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host, or between guest virtual machines on the same host."

• China's infosec researchers obeyed Beijing and stopped reporting vulns ... or did they?
• VMware confirms Carbon Black causes BSODs, boot loops on Windows
• China-linked spies used six backdoors to steal info from defense, industrial enterprise orgs
• Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one

In addition to using the malware to execute commands to the guest machines – primarily enumeration and compression of files – the attacker also harvested credentials, using MiniDump to dump process memory and hunt for cleartext credentials, we're told. 

"VMware worked closely with Mandiant to understand this specialized malware so we could quickly arm our customers with the guidance they need to secure their vSphere environments and mitigate," said Manish Gaur, head of product security at VMware, in a statement provided to The Register.

"While there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security, in addition to following VMware's hardening guidelines for virtual infrastructure." 

In other words: harden now, before less sophisticated miscreants read this research and set about executing similar attacks now that someone else has done all the legwork. ®