Cloud Security , Endpoint Detection & Response (EDR) , Next-Generation Technologies & Secure Development

Malware Shifting to Virtual Environments, Warns Mandiant

Threat Intel Shows Possible Chinese Cyberspying Campaign Targets VMware Hypervisors
Malware Shifting to Virtual Environments, Warns Mandiant

State-sponsored hackers may be shifting their targets from workstations to virtual environments where endpoint detection and response isn't supported, says Mandiant in a report detailing novel malware that attacks VMware hypervisors.

See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security

Analysts at the threat intelligence firm assess with low confidence that the threat actor behind a novel malware family has a connection to China and say the malware is likely used for cyberespionage. It affects the VMware ESXi hypervisor and VMware appliances that run virtual Linux sand Windows machines.

Mandiant says it's aware of fewer than 10 organizations infected with the novel malware but warns that more companies should be on the lookout for it. "We anticipate more organizations will discover compromised VMware infrastructure in their environments," said Charles Carmakal, a Mandiant senior vice president. Malware's shift into new settings such as network appliances, storage area networks arrays and the VMware ESXi hypervisor is a consequence of improved EDR, Carmakal said.

Mandiant dubs the malware families VirtualPita, VirtualPie and VirtualGate. They allow a threat actor to maintain persistent administrative access to the hypervisor, execute commands on virtual machines and transfer files. Mandiant coordinated disclosure of the malware with VMware, which stressed that the malware does not exploit a vulnerability in the company's products.

The malware already requires admin-level privileges to the hypervisor before it can be deployed. VirtualPita and VirtualPie, which each affect the ESXi hypervisor, reach their targets by posing as VSphere Installation Bundles - files designed to facilitate software distribution and virtual system management.

Hackers manipulate the XML descriptor file in the bundles to change its supposed provenance from a low-trust community file developed outside of a VMware partner program to a higher-trust PartnerSupported file.

A modified descriptor isn't sufficient to install the malware. Hackers also abused the VMware --force flag to lower the threshold of host acceptance level for a VSphere Installation Bundle, and they backdated the installation, timestomping the logs.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.