Skip to content

Hide Navigation Hide TOC

VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)

VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware ESXi Administration Command - T1675 (31e5011f-090e-45be-9bb6-17a1c5e8219b) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c) Malware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2