Threat Research

Malware Persistence Within ESXi Hypervisors | Malicious VIBs

GoogleCloudIntel

Mandiant describes a novel persistence method where attackers install malicious vSphere Installation Bundles (VIBs) on VMware ESXi hosts to deploy backdoors (VIRTUALPITA, VIRTUALPIE) that enable command execution, file transfer, and cross-VM operations via VMCI and vmtoolsd. The campaign is tracked as UNC3886 and also includes a Windows guest component (VIRTUALGATE) that leverages VMCI sockets and RC4-encrypted communications. #VIRTUALPITA #VIRTUALPIE

Keypoints

  • Attackers used malicious VIB packages (modified descriptor XML + empty signatures) installed with –force to persist on ESXi hypervisors.
  • Two ESXi backdoors identified: VIRTUALPITA (ELF, TCP/VMCI listeners, arbitrary commands, file transfer) and VIRTUALPIE (Python, IPv6 listener, RC4-encrypted protocol).
  • VIB payloads placed startup scripts under /etc/rc.local.d to run backdoors at boot and remove VIB artifacts from disk to minimize traces.
  • Windows guests contained VIRTUALGATE (memory-only dropper + VMCI-using DLL) enabling hypervisor-to-guest and guest-to-guest command execution via vmtoolsd.exe.
  • Attackers executed commands from ESXi (/bin/rdt → sh → python e.py) that were run on guests as child processes of vmtoolsd.exe to enumerate, compress, and exfiltrate data.
  • Detection can leverage esxcli software vib signature verify to spot falsified acceptance levels and file-hash/YARA indicators provided by Mandiant.

MITRE Techniques

  • [T1560] Archive Collected Data – Used to compress enumerated files for exfiltration; quote: ‘cmd.exe makecab /F C:WindowsTempTS_<REDACTED>.txt … /D compressiontype=lzx’.
  • [T1560.001] Archive via Utility – makecab was invoked to create compressed cabinets of enumerated data; quote: ‘cmd.exe makecab … /D compressiontype=lzx’.
  • [T1059] Command and Scripting Interpreter – Attackers executed shell and scripting commands on guests and hosts; quote: ‘sh -c /bin/sh’ and command chains shown in Figure 4.
  • [T1059.001] PowerShell – Used on guest to parse dumped memory for cleartext credentials; quote: ‘WindowsPowerShellv1.0powershell.exe’ and the PowerShell password search script in Figure 8.
  • [T1059.003] Windows Command Shell – Used for file enumeration and redirection on guests; quote: ‘C:WindowsSystem32cmd.exe” /c dir /od /s /a … > C:WindowsTempTS_…tmp’.
  • [T1059.004] Unix Shell – Used on ESXi to spawn shells and run Python scripts targeting guests; quote: ‘-> /bin/rdt -i ….-> sh -c /bin/sh’.
  • [T1059.006] Python – A Python script (e.py) was used on ESXi to send commands to guest VMs; quote: ‘python e.py 127.0.0.1 vpxuser <password> <target guest machine> …’.
  • [T1129] Shared Modules – VMware Tools (vmtoolsd.exe) was leveraged to run commands in the guest context; quote: ‘Commands passed as arguments into e.py were also seen being executed … running as a child process under vmtoolsd.exe.’
  • [T1105] Ingress Tool Transfer – Backdoors and payloads were delivered via VIB payloads and supported file upload/download functions; quote: ‘file upload and download’ and ‘file transfer capabilities’.
  • [T1573.001] Symmetric Cryptography – Backdoor communications used symmetric encryption (RC4); quote: ‘Communications use a custom protocol and are encrypted using RC4.’
  • [T1027] Obfuscated Files or Information – Memory-only dropper and obfuscated payloads were used to hide components; quote: ‘memory only dropper deobfuscates a second stage DLL payload’.
  • [T1070] Indicator Removal on Host – Attackers removed files and cleared temporary directories to reduce traces; quote: ‘remove every file created by the VIB from the disk’ and ‘The attacker cleared the C:WindowsTemp directory’.
  • [T1070.003] Clear Command History – The malware sets HISTFILE to hide shell history; quote: ‘the malware also sets the environmental variable HISTFILE to 0 to further hide activity’.
  • [T1070.004] File Deletion – Startup scripts deleted VIB-created files after execution; quote: ‘remove every file created by the VIB from the disk’.
  • [T1140] Deobfuscate/Decode Files or Information – Dropper deobfuscated a DLL payload in memory before execution; quote: ‘memory only dropper deobfuscates a second stage DLL payload’.
  • [T1202] Indirect Command Execution – Commands were routed from ESXi to guest VMs via VMCI and vmtoolsd execution chains; quote: ‘Commands passed as arguments into e.py were also seen being executed … under vmtoolsd.exe.’
  • [T1218.011] Rundll32 – Used to invoke MiniDump for credential dumping; quote: ‘rundll32.exe C:windowsSystem32comsvcs.dll MiniDump <Process ID> C:WindowsTempTS_…tmp full’.
  • [T1497] Virtualization/Sandbox Evasion – Malware targeted hypervisor-level persistence and used VM-aware mechanisms to operate across VMs; quote: ‘uses VMware’s virtual machine communication interface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host’.
  • [T1497.001] System Checks – Malware distinguished VM contexts and recorded CID info in logs for VM identification; quote: ‘fetches the systems context ID (CID)’ and records it to /var/log/sysclog.
  • [T1620] Reflective Code Loading – Memory-only dropper loaded/deobfuscated payloads in memory rather than from disk; quote: ‘memory only dropper deobfuscates a second stage DLL payload’.
  • [T1016] System Network Configuration Discovery – Backdoors enumerated network/context details (CID, ports) to manage connections; quote: ‘The generated log records … :<CID>:<port>’.
  • [T1083] File and Directory Discovery – Attackers enumerated files and shares using dir and similar utilities; quote: ‘dir /od /s /a s: > C:WindowsTempTS_…tmp’.
  • [T1021] Remote Services – The toolset allowed executing commands across VMs and leveraging remote interfaces; quote: ‘Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor’.
  • [T1021.004] SSH – Listed by Mandiant as lateral technique for related activity (remote services); quote: ‘T1021.004: SSH’ (from MITRE list in article).
  • [T1003] OS Credential Dumping – Process memory was dumped to search for credentials; quote: ‘MiniDump <Process ID> C:WindowsTempTS_…tmp full’.
  • [T1003.001] LSASS Memory – LSASS and other process memory were targeted for credential extraction via MiniDump; quote: ‘rundll32.exe … MiniDump <Process ID> … full’.
  • [T1547] Boot or Logon Autostart Execution – VIB payloads placed scripts in /etc/rc.local.d to run at boot for persistence; quote: ‘A bash installation script to be placed into /etc/rc.local.d/ to ensure its actions will be executed upon each bootup of ESXi.’

Indicators of Compromise

  • [File Hashes] Malicious VIB payloads and backdoors – 2716c60c28cf7f7568f55ac33313468, 9ea86dccd5bbde47f8641b62a1eeff07, and 10+ other hashes (see YARA/IOC table).
  • [MD5] VIRTUALPITA/VIRTUALPIE samples – 8e80b40b1298f022c7f3a96599806c43 (VIRTUALPITA), 61ab3f6401d60ec36cd3ac980a8deb75 (VIRTUALPIE).
  • [File Paths] Deployed startup and backdoor files – /etc/rc.local.d/vmware_local.sh, /bin/rdt, /bin/vmsyslog.py, C:WindowsTempavp.exe.
  • [VIB Names] Descriptor names used to masquerade VIBs – lsu-lsi-lsi-mrarpid-plugin, ata-pata-pdc20211.
  • [Network Ports/Sockets] Listening endpoints used by backdoors – TCP 2233, VMCI port 18098, IPv6 port 546, TCP 7475 (and VMCI sockets for guest-host comms).
  • [Processes] Legitimate process abused for guest execution – vmtoolsd.exe (commands executed as child processes under vmtoolsd.exe).

Attackers packaged malicious components into VIBs by altering the VIB descriptor XML (changing <acceptance-level> from community to partner) and including an empty signature file, then used the esxcli software vib install –force option to bypass host acceptance checks. The VIB payloads (.vgz) created persistent startup scripts under /etc/rc.local.d that invoked backdoors and subsequently attempted to remove VIB-created files to reduce disk artifacts; these payloads contained ELF binaries (VIRTUALPITA), Python backdoors (VIRTUALPIE), and installation scripts that enable firewall rules and daemonization.

VIRTUALPITA is an ELF backdoor that created listeners (hardcoded TCP or VMCI ports, e.g., 2233 and 18098), supported arbitrary command execution, file upload/download, and could start/stop vmsyslogd; variants also set HISTFILE=0 to hide shell history. VIRTUALPIE is a Python-based daemon using an IPv6 listener (hardcoded port 546) with a custom protocol encrypted with RC4. On Linux vCenter hosts, additional VIRTUALPITA samples masqueraded as ksmd and persisted as init.d services on TCP 7475.

On compromised hypervisors, the /bin/rdt backdoor and an in-memory Python controller (e.py) were used to send commands to guest VMs; those commands were executed inside guests as children of vmtoolsd.exe (e.g., running cmd.exe to enumerate and makecab files, using rundll32 + comsvcs.dll MiniDump to dump process memory, and PowerShell to extract credentials). Detection steps include verifying VIB signatures via esxcli software vib signature verify (which shows signature verification results), hunting for known file paths and hashes listed above, and applying the hardening guidance linked by Mandiant and VMware.

Read more: https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint