Updated on 2022-09-30
Mandiant discovered new espionage-related malware families—VIRTUALPITA and VIRTUALPIE—targeting VMware ESXi, Windows virtual machines, and Linux vCenter servers— to gain persistent administrative access. Read more: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors
Overview
Mandiant discovered a new persistence technique used against VMWare ESXi systems where threat actors gained access to the servers and then installed malicious vSphere Installation Bundles (VIBs). These VIBs deployed the VIRTUALPITA and VIRTUALPIE backdoors at the hypervisor level, allowing the threat actor to run commands on all hosted guest operating systems.
Mandiant has begun tracking this activity as UNC3886. Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage related. Additionally, we assess with low confidence that UNC3886 has a China-nexus. Read more: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors
🔥 VMWare has released guidance addressing malware known as VirtualPITA, VirtualPIE, and VirtualGATE, used to gain persistent access to instances of ESXi. Apply recommended mitigations and threat hunting guidance: https://t.co/zdVP2jTD8T
— US-CERT (@USCERT_gov) September 29, 2022
