Apologies if this is in the wrong section.
I have a Dell PowerEdge T130 I bought specifically to run multiple VMs on ESXi. Specifically, pfSense and FreeNAS, plus any other OS that I need to install in the future. The purpose of this is to have one machine act as a router (pfSense), NAS (FreeNAS), etc. This was connected to a Netgear Nighthawk R7000 flashed to DD-WRT and was essentially a subnet for all my devices. I enabled Promiscuous Mode to allow the manual installation/configuration of FreeNAS jails (manually assigning local IPs). This setup worked fine for several months when suddenly, I started having internet connection issues. I discovered the culprit is utopia.net starting up as a process in ESXi. I'm not sure how it became a startup process, but I reinstalled a fresh copy of ESXi on a new flash drive and reinstalled the VMs from scratch. The only stuff that persisted from the previous installation was my ESXi activation code and the FreeNAS dataset. After completing the new setup, the utopia.net malware was present immediately. At this point, I have the following theories as to how utopia.net survived a new installation:
- it's embedded in BIOS
- it's in the FreeNAS dataset
- Netgear Nighthawk router
- activation code??
The PowerEdge T130 has the following specifications:
Intel Xeon processor E3-1200
4x4tb WD Red
StarTech 4 Port PCI Express 2.0 SATA III 6Gbps RAID Controller Card with HyperDuo SSD Tiering (PPEXSAT34RH)
16x2 DDR4 ECC (Crucial CT16G4WFD824A 16Gb Ddr4 2400 Mt/S Pc4-2400 Dimm 288Pin Dr X8 Ecc Unbuff Cl17)
pfSense VM
FreeNAS VM
Linux Mint VM
Windows 7 VM
OpenVPN OVA
I can't think of anything else that would cause the malware to persist like this, so I am seeking out the knowledge/advice of others.