Mandiant spots new malware targeting VMware ESXi hypervisors

On Thursday, Mandiant detailed two new malware families targeting VMware ESXi hypervisors in an apparent cyberespionage campaign.

In the first installment of a two-part report, Mandiant researchers described how an intrusion investigation earlier this year revealed a series of novel malware samples designed to establish and maintain persistent administrative access to hypervisors. According to the blog post, titled "Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors," the malware targets hypervisors running on VMware ESXi servers, which Mandiant noted "do not generally support" endpoint detection and response (EDR) products.

"Mandiant analyzed the boot profile for the ESXi hypervisors and identified a never-before-seen technique in which a threat actor leveraged malicious vSphere Installation Bundles ('VIBs') to install multiple backdoors on the ESXi hypervisors," Mandiant researchers wrote in the report.

The backdoors, which Mandiant dubbed VirtualPITA and VirtualPIE, establish listeners on ESXi servers. Threat actors could use the access to move files between an ESXi hypervisor and its guest VMs and use a compromised hypervisor to execute arbitrary commands from one VM to another, according to the report.

Mandiant's report noted that attackers need administrator-level access to the ESXi hypervisor before they can deploy the malware. It's unclear how the threat actors in the intrusion gained such access, but the security vendor said it found no evidence that a zero-day vulnerability was used for initial access.

Beyond the initial intrusion that Mandiant investigated, there are other victims of VirtualPIE and VirtualPITA. In a statement sent to TechTarget Editorial, Mandiant senior vice president and CTO Charles Carmakal warned the threat could put other VMware customers in danger.

"While we are aware of less than 10 organizations where this malware was deployed, we anticipate more organizations will discover compromised VMware infrastructure in their environments as a result of this published threat intelligence," Carmakal said in the statement.

"Most organizations do not have an efficient way to hunt for and identify threats on VMware hypervisors, given the lack of EDR support. This is why Mandiant and VMware have collaborated and provided hardening guidance to organizations," he said. "It is critical for organizations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time."

It's unclear if the organizations infected by the backdoors had EDR protection for the ESXi servers. "There are very few malware detection solutions designed for VMware ESXi, so most organizations do not run malware detection or EDR solutions on their ESXi hypervisors," Mandiant consultant Alex Marvi said in a statement to TechTarget Editorial.

Marvi added Mandiant products don't have coverage on ESXi servers at this time.

VMware published an advisory on the new backdoor malware, which thanked Mandiant for discovering the threat on a mutual customer and provided customers with mitigation and detection guidance.

In addition to the ESXi hypervisor malware, Mandiant also discovered samples of VirtualPITA designed for Linux vCenter systems. It uncovered another malware family it dubbed VirtualGATE, which was designed for Windows VMs.

Mandiant said it's continuing to investigate the threat activity, which it tracks as UNC3886.

"Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber-espionage related," the report said. "Additionally, we assess with low confidence that UNC3886 has a China-nexus."