Skip to content

Hide Navigation Hide TOC

VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)

VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Prevent Command History Logging - T1690 (b831f51c-d22f-4724-bbab-60d056bd1150) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
ESXi Administration Command - T1675 (31e5011f-090e-45be-9bb6-17a1c5e8219b) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb) Attack Pattern VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2