Malware Shifting to Virtual Environments, Warns MandiantThreat Intel Shows Possible Chinese Cyberspying Campaign Targets VMware Hypervisors
State-sponsored hackers may be shifting their targets from workstations to virtual environments where endpoint detection and response isn't supported, says Mandiant in a report detailing novel malware that attacks VMware hypervisors.
Analysts at the threat intelligence firm assess with low confidence that the threat actor behind a novel malware family has a connection to China and say the malware is likely used for cyberespionage. It affects the VMware ESXi hypervisor and VMware appliances that run virtual Linux sand Windows machines.
Mandiant says it's aware of fewer than 10 organizations infected with the novel malware but warns that more companies should be on the lookout for it. "We anticipate more organizations will discover compromised VMware infrastructure in their environments," said Charles Carmakal, a Mandiant senior vice president. Malware's shift into new settings such as network appliances, storage area networks arrays and the VMware ESXi hypervisor is a consequence of improved EDR, Carmakal said.
Mandiant dubs the malware families VirtualPita, VirtualPie and VirtualGate. They allow a threat actor to maintain persistent administrative access to the hypervisor, execute commands on virtual machines and transfer files. Mandiant coordinated disclosure of the malware with VMware, which stressed that the malware does not exploit a vulnerability in the company's products.
The malware already requires admin-level privileges to the hypervisor before it can be deployed. VirtualPita and VirtualPie, which each affect the ESXi hypervisor, reach their targets by posing as VSphere Installation Bundles - files designed to facilitate software distribution and virtual system management.
Hackers manipulate the XML descriptor file in the bundles to change its supposed provenance from a low-trust
community file developed outside of a VMware partner program to a higher-trust
A modified descriptor isn't sufficient to install the malware. Hackers also abused the VMware
--force flag to lower the threshold of host acceptance level for a VSphere Installation Bundle, and they backdated the installation, timestomping the logs.