S1217 VIRTUALPITA
VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.1
| Item | Value |
|---|---|
| ID | S1217 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 02 June 2025 |
| Last Modified | 03 June 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1037 | Boot or Logon Initialization Scripts | VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | VIRTUALPITA has the ability to spawn a bash shell for script execution.1 |
| enterprise | T1059.006 | Python | VIRTUALPITA can call a Python script to run commands on a targeted guest virtual machine.1 |
| enterprise | T1675 | ESXi Administration Command | VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.003 | Impair Command History Logging | VIRTUALPITA can impair logging by setting the HISTFILE environmental variable to 0 and stopping the vmsyslogd service.1 |
| enterprise | T1105 | Ingress Tool Transfer | VIRTUALPITA has the ability to upload and download files.1 |
| enterprise | T1570 | Lateral Tool Transfer | VIRTUALPITA is capable of file transfer and arbitrary command execution.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | VIRTUALPITA has utilized VMware service names and ports to masquerade as legitimate services.1 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | VIRTUALPITA samples have been found in /usr/libexec/setconf/ksmd and /usr/bin/ksmd, named to spoof the legitimate Kernel Same-Page Merging Daemon binary. 1 |
| enterprise | T1571 | Non-Standard Port | VIRTUALPITA has created listeners on hard coded TCP ports such as 2233, 7475, and 18098.1 |
| enterprise | T1489 | Service Stop | VIRTUALPITA can start and stop the vmsyslogd service.1 |
| enterprise | T1673 | Virtual Machine Discovery | VIRTUALPITA can target specific guest virtual machines for script execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1048 | UNC3886 | 123 |
References
-
Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. ↩
-
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. ↩