Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors
Researchers have identified a new malware family that was designed to backdoor and create persistence on VMware ESXi servers by leveraging legitimate functionality the hypervisor software supports. According to researchers from Mandiant who found and analyzed the backdoors, they were packaged and deployed on infected servers as vSphere Installation Bundles (VIBs). VIBs are software packages used to distribute components that extend VMware ESXi functionality. The malicious VIBs provided hackers with remote command execution and persistence capabilities on the servers and the ability to execute commands on the guest virtual machines running on the servers.
By default, VMware ESXi is configured to accept only the installation of VIBs that are VMWareCertified, VmwareAccepted, or PartnerSupported. At these levels of acceptance, the bundles need to be digitally signed by either VMware or a partner whose signature VMware trusts.
However, there is a fourth level of acceptance called CommunitySupported and VIBs in this category do not need to be digitally signed. The downside is that these bundles need to be deployed by an administrator by intentionally using the –force flag on the installation command through the esxcli command line tool.