Published: October 15, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
The battle between IT departments and the creators of malware is one without an end in sight. A proactive IT department seeks to identify threats and mitigate their effects, only to have the designers of malware seek alternatives to circumvent any efforts to protect data.
The latest endpoint security solutions such as endpoint detection and response (EDR) software have made the Windows system a harder nut to crack by those organizations that design malware. However, according to Mandiant, state-sponsored malware designers have now shifted efforts to developing and deploying malware on systems that by-and-large lack EDR protection. These can include network appliances, VMware ESXi servers, and SAN arrays.
In early 2022, Mandiant identified a new malware ecosystem affecting ESXi, Linux vCenter servers, and Windows virtual machines. The company noted that hackers had used malicious vSphere Installation Bundles (“VIBs”) in order to install a number of backdoors. These novel backdoors have been named VIRTUALPITA, VIRTUALGATE, and VIRTUALPIE.
Of special concern is the fact that VIRTUALPITA and VIRTUALPIE are not a result of external remote code execution weaknesses. Instead, the attacker requires admin-level privileges to access before the malware is deployed. This means, they have to get that access first.
VIRTUALPIE is a Python backdoor that creates a 'daemonized' IPv6 listener.
Currently, two additional VIRTUALPITA derivatives have been discovered. A backdoor that is capable of enabling arbitrary command execution, the ability to start/stop vmsyslogd, and file transfer.
VIRTUALGATE Windows is another variant of this malware family. It affects Windows virtual machines hosted by the infected hypervisors. VIRTUALGATE is a utility program coded in C that is comprised of two parts, a dropper, and the payload.
The dangers of this novel malware family include controlling administrative access to the hypervisor, executing commands, transferring files, taking control of logging services, and executing arbitrary commands from one guest VM to another guest VM.
Because of the chaos these can cause, IT administrators need to be hype-vigilant when it comes to new threats; and, where appropriate bring in external experts to diagnose system threats on virtual machines. In the meantime, avoid having to deal with these in the first place by keeping all machines updated with the latest patches and software, backing up systems and keeping those backups off the internet and/or separated from the operations and production networks, and never share administrator passwords or provide administrator access to anyone who really doesn’t need it.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com