New Python malware backdoors VMware ESXi servers for remote access

A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.

VMware ESXi is a virtualization platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more effectively.

The new backdoor was discovered by Juniper Networks researchers, who found the backdoor on a VMware ESXi server. However, they could not determine how the server was compromised due to limited log retention.

They believe the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi's OpenSLP service.

While the malware is technically capable of targeting Linux and Unix systems, too, Juniper's analysts found multiple indications it was designed for attacks against ESXi.

Backdoor operation

The new python backdoor adds seven lines inside "/etc/rc.local.d/local.sh," one of the few ESXi files that survive between reboots and is executed at startup.

Usually, that file is empty, apart from some advisory comments and an exit statement.

One of those lines launches a Python script saved as "/store/packages/vmtools.py," in a directory that stores VM disk images, logs, and more.

The script's name and location make Juniper Networks believe that the malware operators intend to target VMware ESXi servers specifically.

"While the Python script used in this attack is cross-platform and can be used with little or no modification on Linux or other UNIX-like systems, there are several indications that this attack was designed specifically to target ESXi," explains Juniper Networks' report.

"The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host."

"The file begins with a VMware copyright consistent with publicly available   examples and is taken character-for-character from an existing Python file provided by VMware."

This script launches a web server that accepts password-protected POST requests from the remote threat actors. These requests can carry a base-64 encoded command payload or launch a reverse shell on the host.

The reverse shell makes the compromised server initiate the connection with the threat actor, a technique that often helps bypass firewall restrictions or works around limited network connectivity.

One of the threat actors' actions observed by Juniper's analysts was to change the ESXi reverse HTTP proxy configuration to allow remote access to communicate with the planted webserver.

Because the file used for setting this new configuration, "/etc/vmware/rhttpproxy/endpoints.conf," is also backed up and restored after reboot, any modifications on it are persistent.

Mitigating

To determine if this backdoor has impacted your ESXi servers, check for the existence of the files mentioned above and the additional lines in the "local.sh" file.

All configuration files that persist reboots should be scrutinized for suspicious changes and reversed to the correct settings.

Finally, admins should restrict all incoming network connections to trusted hosts, and available security updates that address exploits used for initial compromise should be applied as soon as possible.