Mandiant, VMware and US-CERT warn of malware targeting VMware ESXi servers

Sicherheit (Pexels, allgemeine Nutzung)[German]Google-acquired security vendor Mandiant has encountered a new malware family (VirtualPITA, VirtualPIE, and VirtualGATE) that targets virtualization solutions like VMware ESXi Server and uses specialized techniques to infiltrate. VMware has issued a security advisory to that effect, and US-CERT is also warning against this malware.


US-CERT warning

US-CERT dvises in the following tweet that thread actors are using specialized malware known as VirtualPITA, VirtualPIE and VirtualGATE to gain persistent access to ESXi instances.  

 US-CERT warns about malware, addressing VMware ESXi Server

Mandiant dicovered the Malware

Earlier this year, Mandiant identified a novel malware ecosystem that impacts VMware ESXi, Linux vCenter servers and Windows virtual machines, enabling a threat actor to perform the following actions:

  • Gaining persistent administrative access to the hypervisor
  • Send commands to the hypervisor that are forwarded to the guest VM for execution
  • Transfer files between the ESXi hypervisor and the guest machines running under it
  • Interfere with the logging services of the hypervisor
  • Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor

Mandiant came across this malware while investigating a compromised system and looking into how the attackers were able to get in. Mandiant found that an attacker could send commands from the legitimate VMware Tools process vmtoolsd.exe on a Windows virtual machine. This virtual machine was running on a VMware ESXi hypervisor. Mandiant analyzed the boot profile for the ESXi hypervisors and identified an unprecedented technique in which a threat actor used malicious vSphere Installation Bundles ("VIBs") to install multiple backdoors on the ESXi hypervisors.

Ultimately, Mandiant was able to identify two new malware families installed via malicious vSphere Installation Bundles (VIBs). Mandiant named these backdoors VIRTUALPITA and VIRTUALPIE.


VMware VIBs are collections of files designed to facilitate software distribution and virtual system management. Because ESXi uses an in-memory file system, file edits are not saved across reboots. A VIB package can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine restarts.

These VIB packages (description via XML files) are typically used by administrators to deploy updates and maintain systems. However, this attacker used the packages as a persistence mechanism to maintain access across ESXi hypervisors. Mandiant describes the details in the blog post Bad VIB(E)s Part One: Inves

VMware publishes support article

VMware has meanwhile published the support article Protecting vSphere From Specialized Malware about this issue. There you can find additional information about the attack and what you can do against this kind of malware. Furthermore, mitigation and detection guidance has been developed by VMware specifically for the techniques described in the Mandiant report. This guidance can be found in VMware Knowledge Base 89619 – Mitigation and Threat Hunting Guidance for Unsigned vSphere Installation Bundles (VIBs) in ESXi. The Knowledge Base article also includes a detection script to automate the process of scanning an environment.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Virtualization and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *