State-linked actor targets VMware hypervisors with novel malware

Dive Brief:

• A suspected state-linked threat actor has developed a novel form of malware that uses malicious vSphere Installation Bundles to load backdoors on VMware ESXi hypervisors, according to research from Mandiant released Thursday. The hypervisors are used by a range of organizations, including defense, finance, technology firms and government agencies.
• To deploy the malware, a threat actor needs admin-level privileges. From there, the backdoors allow the attacker to transfer files, execute commands and tamper with logging services on both the hypervisors and virtual machines, according to Mandiant. It is not a remote-code execution vulnerability.
• “As endpoint detection and response (EDR) solutions improve malware detection efficiency on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays and VMware ESXi servers,” Charles Carmakal, CTO at Mandiant Consulting, said in a statement. “This increases the difficulty for organizations to detect malicious attacker activity.”

Dive Insight:

The malware was found at less than 10 organizations, but researchers expect to find more targeted companies. Mandiant is tracking the actor linked to the attacks as UNC3886.

Researchers originally discovered the threat activity during an investigation in April.The firm discovered attackers issuing commands from a legitimate VMware Tools process on a Windows virtual machine that was hosted on a VMware ESXi hypervisor. 

Mandiant named the backdoors discovered in the systems as VIRTUALPITA and VIRTUALPIE. 

Researchers could not pinpoint what the specific goal of the threat actor was, but Alex Marvi, a consultant at Mandiant Consulting, said the attackers appeared to be trying to gather and retain information from targeted organizations over a long period of time. 

“Given the targeted and evasive nature of this intrusion, we suspect the attacker’s motivation to be cyber espionage related,” Marvi said via email.

The backdoors have features built in to them to conduct additional activity, Marvi said.

VMware worked closely with Mandiant researchers to understand how this attack was put together, Manish Gaur, head of product security at VMware, said in a statement. 

There was no VMware vulnerability linked to this attack, Gaur said, but customers need to follow guidance related to secure credentials management and network security. The company also has hardening guidance for virtual infrastructure.

Comments are closed.