VIRTUALPIE

VIRTUALPIE (VMware ESXi)

VIRTUALPIE is a lightweight backdoor written in Python that spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server. It supports arbitrary command line execution, file transfer capabilities, and reverse shell capabilities. Communications use a custom protocol and are encrypted using RC4.

The first malicious VIB named lsu-lsi-lsi-mrarpid-plugin referenced the payload lsu_lsi_.v05 (MD5: 2716c60c28cf7f7568f55ac33313468b) which contained the following three (3) files for which details can be found in Table 1:

/etc/rc.local.d/vmware_local.sh (MD5: bd6e38b6ff85ab02c1a4325e8af29ce4)
/bin/rdt (MD5: 8e80b40b1298f022c7f3a96599806c43)
/bin/vmsyslog.py (MD5: 61ab3f6401d60ec36cd3ac980a8deb75)

Table 1: Lsu-lsi-lsi-mrarpid-plugin Malicious VIB contents
File Name	Description
vmware_local.sh	A bash installation script to be placed into `/etc/rc.local.d/` to ensure its actions will be executed upon each bootup of ESXi. Uses the `esxcli` command line utility to enable a firewall rule for backdoor traffic, execute both backdoors, and remove every file created by the VIB from the disk.
rdt	An ELF backdoor (VIRTUALPITA) that creates a listener on the hard coded TCP port 2233. Capable of arbitrary command execution, file transfer capabilities and the ability to start/stop `vmsyslogd`. VMWare documentation recorded this port is normally utilized by the vSAN reliable datagram transport (RDT) service on the ESXi version which was reviewed.
vmsyslog.py	A lightweight backdoor (VIRTUALPIE) written in Python that spawns a daemonized IPv6 listener the hardcoded port 546. Capable of arbitrary command line execution, file transfer capabilities, and reverse shell capabilities. Communications use a custom protocol and are encrypted using RC4.

The second malicious VIB named ata-pata-pdc20211 referenced the payload payload1.v00 (MD5: 9ea86dccd5bbde47f8641b62a1eeff07) which contained the following two (2) files for which details can be found in Table 2:

/etc/rc.local.d/vmware_rhttpio.sh (MD5: 9d5cc1ee99ccb1ec4d20be1cee10173e)
/usr/lib/vmware/weasel/consoleui/rhttpproxy-io (MD5: 2c28ec2d541f555b2838099ca849f965)

Table 2: Lsu-lsi-lsi-mrarpid-plugin Malicious VIB contents
File Name	Description
vmware_rhttpio.sh	A bash installation script to be placed into `/etc/rc.local.d/` to ensure its actions will be executed upon each bootup of ESXi. This script executes the ELF backdoor
rhttpproxy-io	An ELF backdoor (VIRTUALPITA) that creates a listener on the hard coded VMCI socket port 18098. Capable of arbitrary command execution, file transfer capabilities and the ability to start/stop vmsyslogd. The following sample generates an additional log not seen in other samples which fetches the systems context ID (CID). The generated log `/var/log/sysclog` records in the following format `[<date/timestamp>]\n\r[!]<<PID>>:<CID>:<port>\n\n`