Remote access to new Python malware backdoors VMware ESXi Servers

Undocumented Python backdoor that targets VMware ESXi servers was discovered. This allows hackers to remotely execute commands on a compromised system.

VMware ESXi, a virtualization platform that allows multiple servers to be hosted on one machine while consuming less CPU and memory resources in an enterprise environment is a common use case for VMware ESXi.

discovered the new backdoor and found it on a VMware ESXi Server. They were unable to determine the cause of the breach due to limited log retention.

The team believes that the server was compromised by the CVE-19-5544 or CVE-20-3992 vulnerabilities in ESXi’s OpenSLP services.

Although the malware can technically target Unix and Linux systems as well, Juniper analysts discovered multiple signs that it was intended for attacks on ESXi.

Backdoor operation

The new python backdoor adds seven lines inside “/etc/rc.local.d/local.sh,” one of the few ESXi files that survive between reboots and is executed at startup.

Most often, the file will be empty with some exit statements and advisory comments.

One of those lines launches a Python script saved as “/store/packages/vmtools.py,” in a directory that stores VM disk images, logs, and more.

Juniper Networks believes that this script is designed to attack VMware ESXi servers because of its name and whereabouts.

Juniper Networks’ explains that “while the Python script in this attack can be used on any platform, it is compatible with Linux and other UNIX-like systems. However, there are many indications that this attack targeted ESXi.”

“The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host.”

“The file begins with a VMware copyright consistent with publicly available examples and is taken character-for-character from an existing Python file provided by VMware.”

The script opens a web server to accept password-protected POST request from remote threat actors. This script can launch reverse shells on the host or carry an encoded command payload of base 64.

This reverse shell allows the compromise server to initiate the connection with threat actor. It is a method that can often bypass firewall restrictions and work around restricted network connectivity.

Juniper analysts observed that one of the threats was for Juniper to modify the ESXi reverse HTTP proxy configuration in order to permit remote access to the webserver.

Because the file used for setting this new configuration, “/etc/vmware/rhttpproxy/endpoints.conf,” is also backed up and restored after reboot, any modifications on it are persistent.

Mitigating

Check for these files and any additional lines within the file “local.sh”. This will help you determine if the backdoor is affecting your ESXi servers.

It is important to examine all configuration files that are persistently rebooted for any suspicious modifications and then reverse the settings.

Administrators need to restrict network traffic only to trusted hosts. Security updates should also be installed as quickly as possible in order not exploited for the initial compromise.