VMware ESXi - VirtualPita et VirtualPie

this malicious VIB package hides a backdoor

To persistently take control over VMware ESXi servers, cybercriminals rely on VIBs packages to deploy two backdoors without being detected! Let’s take a look at this technique discovered by security researchers at Mandiant.

It was during incident response that security researchers at Mandiant (a Google-owned company) discovered that a group of cybercriminals had used packages vSphere Installation Bundles (VIB) to deliver two malicious strains: VirtualPita et VirtualPie. This group named UNC3886 would come from China.

As a reminder, VIB packages allow you to install packages on a VMware ESXi hypervisor, and they also correspond to images. The origin of a VIB package can vary : it can be an official package offered by VMware, offered by an official partner or simply distributed by the community (GhettoVCB, for example). So it’s not easy to find…

Moreover, the cybercriminals behind these malicious packages had the good idea to modify the description XML file to indicate that it came from a partner, not the community. This is done via the key “acceptance-level” in the XML file. In addition, and in order to make the VMware ESXi host accept the package without question, the “–force” flag is used when installing VIB packages. Thus, the VirtualPita and VirtualPie backdoors are deployed on the compromised VMware ESXi host.

VMware ESXi - VIB malveillant
Source : Mandiant

In his report, the Mandiant company specifies : “VirtualPita is a 64-bit passive backdoor that listens on a hard-coded port number, on the VMware ESXi server.“, all while taking the name of a service and a port number typically used by a VMware service. As for VirtualPie, it is a backdoor coded in Python whose objective is to allow command line execution, file transfer, as well as the establishment of a reverse shell.

On the virtual machines, especially Windows, of the infected host, a malicious strain is also deployed: VirtualGate. There is therefore also a compromise of the virtual machines.

A prerequisite to consider

However, there is an important prerequisite to consider! To install the malicious packages, hackers must have administrator access on the hypervisor. Although this reduces the risks, this threat should not be ignored, because it allows attackers to gain persistent access to an already compromised infrastructure!


Logiciel – OS,Sécurité,VMware,

#malicious #VIB #package #hides #backdoor

Leave a Comment

Your email address will not be published. Required fields are marked *