A Chinese-sponsored hacking group known as UNC3886 has been discovered exploiting a zero-day vulnerability in VMware ESXi, allowing them to backdoor Windows and Linux virtual machines and steal data.
The cyber espionage group abused an authentication bypass flaw in VMware Tools to deploy VirtualPita and VirtualPie backdoors, escalating privileges to root on compromised ESXi hosts. The attackers utilized maliciously crafted vSphere Installation Bundles (VIBs) to install the backdoor malware.
During the investigation, cybersecurity firm Mandiant identified a third malware strain called VirtualGate, which acted as a memory-only dropper on hijacked virtual machines.
Mandiant highlighted the significance of the open communication channel between guest and host, enabling persistence and access to backdoored ESXi hosts as long as a backdoor is deployed and initial access to any guest machine is obtained. UNC3886’s deep understanding of ESXi, vCenter, and VMware’s virtualization platform, coupled with their preference for targeting devices lacking Endpoint Detection and Response (EDR) capabilities, demonstrates their advanced capabilities.
In a previous campaign, UNC3886 exploited a zero-day vulnerability in FortiGate firewall devices to compromise systems and deploy Castletap and Thincrust backdoors. They then utilized the gained access to backdoor ESXi and vCenter machines using VirtualPita and VirtualPie malware.
The group’s cyber-espionage activities primarily target organizations in defense, government, telecom, and technology sectors, with a focus on zero-day vulnerabilities in firewall and virtualization platforms. Mandiant warns that their sophisticated tradecraft is challenging to detect, and there may be additional victims yet to be discovered.
