Deep Panda & Fire Chili Rootkits

Industry: Academic, Cosmetic, Financial, Travel | Level: Tactical | Source: Fortinet

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili. The certificates are stolen from game development companies Frostburn Studios and Korean 433CCR Company. The attack chain begins with a Log4Shell exploit on a vulnerable VMWare Horizon server that spawns an encoded PowerShell command to download and execute scripts, completing with a malicious DLL file being installed. Persistence is achieved by creating a service and registry entry. The Fire Chili rootkit has currently been scoring low based on VirusTotal review.

• Anvilogic Scenario: Deep Panda - Fire Chili Threat Campaign - Initial Attack Stage
• Anvilogic Use Cases:
• Potential CVE-2021-44228 - Log4Shell
• Encoded Powershell Command
• Executable File Written to Disk
• Download exe|msi|bat Proxy
• Executable Create Script Process
• Rare remote thread
• Windows Service Created
• Suspicious Registry Key Created