top of page
Search

Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors

Earlier this year, researchers identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines. This malware ecosystem was initially detected during an intrusion investigation when they identified attacker commands sourced from the legitimate VMware Tools process on a Windows virtual machine hosted on a VMware ESXi hypervisor.




MALWARE FAMILIES: VIRTUALPIE, VIRTUALPITA


ATT&CK IDS: T1036 - Masquerading, T1003 - OS Credential Dumping, T1016 - System Network Configuration Discovery, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1059 - Command and Scripting Interpreter, T1070 - Indicator Removal on Host, T1083 - File and Directory Discovery, T1105 - Ingress Tool Transfer, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1202 - Indirect Command Execution, T1218 - Signed Binary Proxy Execution, T1497 - Virtualization/Sandbox Evasion, T1547 - Boot or Logon Autostart Execution, T1560 - Archive Collected Data, T1573 - Encrypted Channel


Read More:

3 views

Comments


Commenting has been turned off.
bottom of page