Deep Panda launched new attacks this month that leverage Log4Shell to deploy the new Fire Chili rootkit.
Deep Panda is a Chinese Advanced Persistent Threat (APT) hacking group that has been active for at least a decade. The APT targets government, defense, healthcare, telecommunications and financial organizations, to name a few, for purposes such as data theft and surveillance.
Cyber attackers have a wide range of malicious tools at their disposal, including the Milestone backdoor and the Infoadmin remote access Trojan (RAT) based on the Gh0st RAT code. There may also be affiliation with Winnti, a separate Chinese group known to target game developers and providers.
A new campaign detected by FortiGuard Labs researchers is the work of Deep Panda, which targets organizations in the finance, travel and cosmetics industries.
Over the past month, FortiGuard has detected the group’s active exploitation of Log4Shell, a critical vulnerability in the Java Apache Log4J logging library (CVE-2021-44228, CVSS 10.0), to release a new “novel” rootkit.
Attackers from various groups use Log4Shell to compromise VMware Horizon servers for data exfiltration and cryptojacking.
In the case of Deep Panda, the new rootkit, dubbed Fire Chili, is designed to keep activities under the radar and is deployed alongside the Milestone backdoor.
Fire Chili has been signed with a stolen digital certificate – the same one used by Winnti to approve malicious tools – and will check to make sure the victim machine is not running in safe mode.
“It then checks the operating system version,” the researchers explain. “The rootkit uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations. For this reason, it relies on specific operating system versions, otherwise it may cause blocking the infected machine.”
The latest supported version is Windows 10 Creators Update (Redstone 2).
Drivers are implemented to hide malicious objects from existing security systems. The rootkit will also alter the registry to prevent malicious processes from being terminated, and a callback is generated to conceal newly created processes from utilities including Task Manager.
The researchers collected samples from four drivers, both 32-bit and 64-bit, compiled in 2017. The samples were signed with stolen certificates issued by American and Korean game companies.
Additionally, the malware can hide registry keys and TCP network connections.
The Milestone backdoor is then installed on the target machine for ongoing data theft and persistence. The researchers also discovered a dropper containing a Milestone charger.
“Although Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a new strain with a unique code base different from those previously affiliated with the groups,” FortiGuard says. “Why these tools are tied to two different groups is unclear at this time. It’s possible that the groups’ developers shared resources, such as stolen certificates and C2 infrastructure, between them.”
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0