2022-04-05

Deep Panda & Fire Chili Rootkits

Level: 
Tactical
  |  Source: 
Fortinet
Academic
Financial
Share:

Deep Panda & Fire Chili Rootkits

Industry: Academic, Cosmetic, Financial, Travel | Level: Tactical | Source: Fortinet

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili. The certificates are stolen from game development companies Frostburn Studios and Korean 433CCR Company. The attack chain begins with a Log4Shell exploit on a vulnerable VMWare Horizon server that spawns an encoded PowerShell command to download and execute scripts, completing with a malicious DLL file being installed. Persistence is achieved by creating a service and registry entry. The Fire Chili rootkit has currently been scoring low based on VirusTotal review.

  • Anvilogic Scenario: Deep Panda - Fire Chili Threat Campaign - Initial Attack Stage
  • Anvilogic Use Cases:
  • Potential CVE-2021-44228 - Log4Shell
  • Encoded Powershell Command
  • Executable File Written to Disk
  • Download exe|msi|bat Proxy
  • Executable Create Script Process
  • Rare remote thread
  • Windows Service Created
  • Suspicious Registry Key Created

Chat with our team to receive a free maturity assessment

Get in Touch