1. Home
  2. Techniques
  3. Enterprise
  4. Server Software Component
  5. vSphere Installation Bundles

Server Software Component: vSphere Installation Bundles

ID Name
T1505.001 SQL Stored Procedures
T1505.002 Transport Agent
T1505.003 Web Shell
T1505.004 IIS Components
T1505.005 Terminal Services DLL
T1505.006 vSphere Installation Bundles

Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.

VIBs can be broken down into three components:[1]

  • VIB payload: a .vgz archive containing the directories and files to be created and executed on boot when the VIBs are loaded.
  • Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the esxcli command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command.
  • XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.

Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using esxcli to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.[2] Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.[2]

ID: T1505.006
Sub-technique of:  T1505
Tactic: Persistence
Platforms: ESXi
Contributors: Janantha Marasinghe
Version: 1.0
Created: 27 March 2025
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G1048 UNC3886

UNC3886 has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.[2][3][4]
S1218 VIRTUALPIE

VIRTUALPIE has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs).[2]

Mitigations

ID Mitigation Description
M1047 Audit

Periodically audit ESXi hosts to ensure that only approved VIBs are installed. The command esxcli software vib list lists installed VIBs, while the command esxcli software vib signature verify verifies the signatures of installed VIBs.[2]
M1046 Boot Integrity

Enabling secure boot allows ESXi to validate software and drivers during initial system boot.[5]
M1045 Code Signing

Enabling the execInstalledOnly feature prevents unsigned binaries from being run on ESXi hosts.[5]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0535 Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access AN1475

Malicious VIB installation for persistence via esxcli software vib install using --force or --no-sig-check, enabling custom startup scripts or firewall rules. Behavior chain: (1) unsigned/suspicious VIB installation → (2) startup script or binary placed in persistent boot path → (3) persistence across reboot via /etc/rc.local.d or other boot hook).

References

  1. Kyle Gleed. (2011, September 13). What's in a VIB?. Retrieved March 27, 2025.
  2. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  3. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  1. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  2. Alex Marvi, Greg Blaum, and Ron Craft. (2023, June 28). Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts. Retrieved March 26, 2025.