Juniper Network researchers recently found a backdoor in a VMware ESXi server. Though the initial entry method is unknown, it is believed that the server was compromised using vulnerabilities in ESXI’s OpenSLP service (CVE-2019-5544 and CVE-2020-3992).
The backdoor achieves persistence by placing several lines of Linux commands in the “/etc/rc.local.d/local.sh” script, which runs at startup. Most of the commands used are for simply moving the file “/bin/hostd-probe.sh” around before and after the execution of a python script. That python script, which provides the backdoor to the threat actor, was located in “/store/packages/vmtools.py”. The payload appears to be compatible with other Linux systems, but the location, file name, and file contents indicate VMware ESXi servers are the intended targets. The “vmtools.py” script begins with a VMware copyright text consistent with legitimate VMware python script copyright texts, enhancing the masquerading ability of the malware.
The backdoor itself is a python web server that accepts POST requests from the threat actor. The POST requests must include a password set by the attacker, and can include base64 encoded shell commands to execute on the victim host. The request can also instruct the malware to start a reverse shell on the victim host for the threat actor to connect to, a very common method of achieving a connection to a host behind a firewall. Juniper researchers also observed the threat actor modifying the “/etc/vmware/rhttpproxy/endpoints.conf” configuration file to allow reverse HTTP connections to the backdoor.