Cybersecurity researchers at Mandiant have identified a China-nexus espionage actor, tracked as UNC3886, targeting VMware vSphere environments for long-term persistence. The group has demonstrated advanced capabilities by deploying novel malware families on ESXi hosts and vCenter servers, which often lack robust security monitoring like endpoint detection and response (EDR) solutions.

The attacks were directed at organizations within the defense industrial base, telecommunications, and technology sectors located in the United States and the Asia-Pacific and Japan (APJ) regions. UNC3886’s primary goal was to establish a persistent and stealthy foothold within victim networks by compromising the virtualization layer.

Advanced Malware and Persistence Techniques

The threat actor utilized multiple malware families to achieve its objectives. A backdoor known as VIRTUALPITA was installed on ESXi hosts, allowing the attackers to maintain access, execute commands, and manipulate files. A second backdoor, named VIRTUALPIE, was deployed on guest Windows virtual machines, communicating with the ESXi host via the VMCI sockets.

A key technique involved the deployment of malicious vSphere Installation Bundles (VIBs). UNC3886 modified legitimate VIBs to include their malicious code, which allowed the backdoors to persist across system reboots and patching cycles. This method provided the attackers with highly resilient access to the compromised infrastructure.

Exploitation of Zero-Day Vulnerabilities

The group’s operations included the exploitation of a zero-day. This was identified as a command injection vulnerability within VMware Tools that enabled UNC3886 to facilitate communication and file transfers between the compromised ESXi host and the guest virtual machines. The attackers leveraged this vulnerability to execute commands on guest VMs from the hypervisor level without requiring guest credentials.

By controlling the hypervisor, UNC3886 gained the ability to move laterally within the virtualized environment, access any guest VM on the host, and tamper with logging services to conceal their activities. The group’s deep understanding of VMware’s architecture allowed them to operate with a high degree of stealth.

Source: https://www.csoonline.com/article/4101866/chinese-cyberspies-target-vmware-vsphere-for-long-term-persistence.html