According to Juniper Networks’ Threat Labs security experts, a new Python-based backdoor that targets VMware ESXi virtualization servers has been discovered. Although the targeted servers were affected by well-known security flaws (including CVE-2019-5544 and CVE-2020-3992) that were probably abused for the initial attack, the researchers were more interested in the backdoor’s ease of usage, persistence, and capabilities.
The threat actor updated four files on the target, which the system backs up and restores after a reboot, during the attack to ensure the continued execution of a Python script at startup. By altering file timestamps and selecting particular files that wouldn’t attract much attention on a virtualized host, the attackers also tried to conceal the backdoor’s existence on the system.
Juniper Threat Labs revealed that the Python script might also be used on Linux and other UNIX-like systems, although it appears to have been created mainly to target ESXi. Based on received password-protected POST requests, the Python script was made to start a primary webserver that can run remote commands or start a reverse shell on the host.
The reverse shell includes a series of piped commands intended “to work around limitations in the netcat version available on ESXi.” It can get beyond firewall restrictions and be used even if the infected machine is not connected to the internet. The attackers then changed the settings of the ESXi reverse HTTP proxy, as per Juniper Threat Labs, such that a reverse proxy is told to route to port 8307 for particular external requests, giving the attackers access to the malicious website.
The reverse proxy setup is permanent, like the Python script. Organizations are recommended to ensure their appliances are correctly patched and that inbound network connections are limited to trustworthy hosts to stay safe. Users of VMware ESXi are also urged to examine the four targeted folders’ contents and any persistent system files for any indications of unauthorized changes.