430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT Deep Panda employs new Fire Chili Windows rootkit

The China-linked hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to install a new Fire Chili rootkit. Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit to compromise VMware Horizon servers and deploy previously undetected Fire Chili rootkit. The experts observed opportunistic attacks against organizations […]

deep panda fire chill rootkit

The China-linked hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to install a new Fire Chili rootkit.

Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit to compromise VMware Horizon servers and deploy previously undetected Fire Chili rootkit.

deep panda fire chill rootkit

The experts observed opportunistic attacks against organizations in several countries and various sectors. The targeted organizations operate in the financial, academic, cosmetics, and travel industries.

The kernel rootkit employed by the threat actors is signed with a stolen digital certificate, which is the same certificate used by the Winnti cyberespionage group.

“As part of our research, we have collected four driver samples — two pairs of 32-bit and 64-bit samples. One pair was compiled in early August 2017 and the second pair was compiled ten days later.” reads the analysis published by Fortinet. “All four driver samples are digitally signed with stolen certificates from game development companies, either the US-based Frostburn Studios or the Korean 433CCR Company (433씨씨알 주식회사).”

The Fire Chili rootkit performs basic system tests to ensure it’s not running on a simulated environment and checks that the kernel structures and objects to be abused during operation are present.

Upon launching the rootkit, it performs some checks to avoid running in a virtualized environment and uses Direct Kernel Object Modification (DKOM) for its operations. For this reason, the rootkit relies on specific OS builds as otherwise it may cause the infected machine to crash. The latest supported build is Windows 10 Creators Update (Redstone 2), which was released in April 2017.

The malware uses IOCTLs (input/output control system calls) to hide the driver’s registry key, the loader and backdoor files, and the loader process.

“The purpose of the driver is to hide and protect malicious artifacts from user-mode components. This includes four aspects: files, processes, registry keys and network connections. The driver has four global lists, one for each aspect, that contain the artifacts to hide.” continues the report. “The driver’s IOCTLs allow dynamic configuration of the lists through its control device \Device\crtsys. As such, the dropper uses these IOCTLs to hide the driver’s registry key, the loader and backdoor files, and the loader process.”

The rootkit implements a filesystem minifilter using code based on Microsoft’s official driver code samples and uses two mechanisms to preventing process termination and hide process respectively.

The malware uses a code based on an open-source project published by a Chinese developer to hide registry keys from users using Microsoft’s Registry Editor.

The Fire Chili rootkit is also able of hiding TCP connections from tools such as netstat borrowing code for this feature from another open-source project.

The group “Deep Panda” is a well-known APT that during the past years has targeted defense, financial and other industries in the US. The group employed many zero-day exploits to spread different malware, including the popular Poison Ivy.

“we introduced the previously unknown Fire Chili rootkit and two compromised digital signatures, one of which we also directly linked to Winnti. Although both Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously affiliated with the groups.” concludes the report. “The reason these tools are linked to two different groups is unclear at this time. It’s possible that the groups’ developers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain why the samples were only signed several hours after being compiled.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Deep Panda)

[adrotate banner=”5″]

[adrotate banner=”13″]