According to Mandiant, malware targets VMware users to spy on them. • The Register

New stealthy malware can target VMware environments to allow criminals to gain persistent administrative access to hypervisors, transfer files and run arbitrary commands on virtual machines, according to VMware and Mandiant, which discovered such malicious software in the wild earlier this year to have.

Client, the now owned by Google Threat Intel team attributed the infections to an uncategorized group, calling it UNC3886, and says it suspects the snoopers’ motivation is espionage. Mandiant also claims “with low confidence” that the gang has ties to China.

in the research Mandiant, released today, stated that to develop and deploy this spyware, its mastermind would require a fairly deep understanding of VMware’s ESXi operating system, as well as admin-level rights to a victim’s ESXi hypervisor installation.

That means we’re not talking about a new remote code execution vulnerability, and it’s not a particularly easy breach, but it would be doable for nation-state actors.

The good news is that security researchers are aware of less than “ten organizations” (so far) compromised by the malware, and there is no evidence that a zero-day vulnerability is used to gain access or the deploy malware.

“However, we anticipate that a variety of other threat actors will use the information outlined in this study to begin building similar capabilities,” Mandiant acknowledged, recommending this advisory to organizations using ESXi and VMware infrastructure to follow hardening steps as well as VMware’s guidance.

“This malware is different in that it supports being both persistent and covert, which aligns with the goals of larger threat actors and APT groups that target strategic institutions to remain undetected for some time,” the virtualization giant in its recommendation.

“Persistent and Covert”

Prior to this discovery, both VMware and Mandiant said they had not seen persistent malware with these abilities deployed on VMware hypervisor hosts or guests in the wild.

Mandiant first encountered the malware during an intrusion investigation for a joint customer with VMware. We have been informed that threat hunters have identified attacker commands originating from the legitimate VMware Tools process on a Windows VM hosted on a VMware ESXi hypervisor.

VMware ESXi Server generally do not support Endpoint Detection and Response Products. This makes it easier for spies and other rogues to go unnoticed on these systems, allowing them to stealthily snoop through files and steal data.

According to Mandiant, while analyzing the boot profile For the ESXi hypervisors, the researchers discovered a “never-before-seen technique” that leveraged malicious attacks vSphere installation packages (“VIBs”) to install multiple backdoors.

VMware VIBs are used by administrators to update and maintain systems. However, in this case, the attacker used VIB packages with fake acceptance levels to maintain access through ESXi hypervisors and deliver malware.

The security store named the new malware VirtualPITA (ESXi and Linux), VirtualPIE (ESXi) and VirtualGATE (Windows).

VirtualPITA and VirtualPIE

The VMware ESXi Server backdoors, VirtualPITA and VirtualPIE, both have unique characteristics. VirtualPITA is a 64-bit backdoor that uses VMware service names and ports to disguise itself as a legitimate service. It allows the attacker to run arbitrary commands, upload and download files, and start and stop the host’s syslog service, vmsyslogd.

“Variants of this malware have been found to eavesdrop on a Virtual Machine Communication Interface (VMCI) and log this activity to the sysclog file,” Mandiant wrote.

Meanwhile, VirtualPIE is written in Python and spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server. Its capabilities include arbitrary command line execution, file transfer, and reverse shell scripting. It also uses RC4 to encrypt communications.

Listening to Linux and Windows VMs

Mandiant also discovered two other VirtualPita samples listening on TCP port 7475 on Linux-based vCenter systems disguised as legitimate binaries. Finally, compromised Windows guest VMs hosted by the infected hypervisor had their own unique malware Mandiant dubbed VirtualGATE. It’s written in C and includes a dropper and payload.

As Mandiant explained, “The Memory Only Dropper unobfuscates a second-stage DLL payload that uses VMware’s Virtual Machine Communication Interface (VMCI) sockets to execute commands on a guest virtual machine from a hypervisor host or between guest virtual machines on the same host .”

In addition to using the malware to run commands to the guest machines – mainly enumeration and compression of files – the attacker also harvested credentials by using MiniDump to dump process memory and look for clear-text credentials, we’re told.

“VMware has worked closely with Mandiant to understand this specialized malware so we can quickly arm our customers with the guidance they need to secure and mitigate their vSphere environments,” said Manish Gaur, director of product security at VMware, in a statement provided to The registry.

“While there is no VMware vulnerability, we emphasize the need for strong operational security practices that include secure credential management and network security, in addition to following VMware virtual infrastructure hardening guidelines.”

In other words, harden up now, before less sophisticated rogues read this research and launch similar attacks after someone else has done all the legwork. ®

https://www.theregister.com/2022/09/29/vmware_malware_mandiant/ According to Mandiant, malware targets VMware users to spy on them. • The Register

Laura Coffey

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button