"Mandiant Unearths New Espionage-Related Malware Families Affecting VMware Hypervisors"
Mandiant has uncovered a new ecosystem of espionage-related malware targeting VMware ESXi, Linux vCenter servers, and Windows virtual machines that allows an attacker to transfer files between hypervisors and guest machines, tamper with logging, execute arbitrary commands between virtual machines, and more. The activity is being tracked under a new cluster, which means Mandiant has not yet linked it to any previously known Advanced Persistent Threat (APT) hacking group. The threat actor appears to be targeting devices that lack endpoint detection and response systems. Mandiant is currently aware of less than ten organizations infected with the malware, but they anticipate that number will rise following their disclosure as security teams seek to detect previously unknown activity. During an incident response investigation, Mandiant discovered an attacker using legitimate VMware tools to send commands to Windows guest machines. Later analysis of the hypervisor revealed that the actor had installed two different pieces of malware called VIRTUALPITA and VIRTUALPIE using malicious vSphere installation bundles, which VMware defines as a collection of files packaged into a single archive to enable distribution. VIRTUALPITA is a 64-bit malware family that impersonates legitimate VMware service names and ports, allowing an actor to run arbitrary commands, upload or download files, and hide its presence. VIRTUALPIE, written in Python, spawns a background IPV6 listener on ESXi servers. It also allows arbitrary command execution, file transfer, and reverse shell capabilities. This article continues to discuss the new malware families affecting VMware ESXi, Linux vCenter servers, and Windows virtual machines.