Fire Chili Rootkit: Deep Panda APT Resurfaces With New Log4Shell Exploits

Fire Chili is a novel strain of malware that has been leveraged by a Chinese APT group Deep Panda exploiting Log4Shell vulnerability in VMware Horizon servers. The primary focus of adversaries is cyber espionage. Targeted organizations include financial institutions, academic, travel, and cosmetics industries. Log4Shell is associated with a high-severity CVE-2021-44228 vulnerability in the Log4j Java library along with a large-scale exploitation of Fortinet FortiOS (CVE-2018-13379).

Researchers found stolen digital certificates from Frostburn Studios which enabled security software evasion and the deployment of a backdoor. Below are the latest Sigma-based rules released in the SOC Prime Platform to detect the new malicious activity of the Deep Panda hacking collective.

Rootkit Named Fire Chili: How to Detect

This rule created by our Threat Bounty developer Kyaw Pyiyt Htet detects the service creation of Deep Panda’s Fire Chili rootkits. 

Possible Deep Panda Persistence by Detection of Malicious Service Creation (via system)

The rule is aligned with the latest MITRE ATT&CK® framework v.10 addressing the Create or Modify System Process (T1543) technique.

Another rule suggested by Kyaw Pyiyt Htet detects the file creation and registry creation of Deep Panda’s Fire Chili Rootkit, addressing MITRE ATT&CK® Boot or Logon Autostart Execution (T1547) technique.

Suspicious Deep Panda ‘Fire Chili Rootkit’ Activity (via Sysmon)

Discover more of the relevant content items addressing Deep Panda’s attacks in the SOC Prime’s Detection as Code platform. And if you are a detection content developer and want to make your own contribution, you’re highly welcome to join our crowdsourcing initiative that brings continuous rewards and recognition for security professionals.

View Detections Join Threat Bounty

A Previously Unknown Fire Chili Rootkit Analysis

The attack chain is driven by Log4Shell exploitation of vulnerable VMware Horizon servers built to deploy the new Fire Chili rootkit. A new PowerShell process makes for loading and executing a chain of scripts with a DLL installation in the end. Additional BAT and EXE combination of files deletes previous forensic evidence from the disk of a victim’s machine.

Researchers have found many similarities between Fire Chili backdoor and Gh0st RAT, however, there are some important differences as well. For instance, Fire Chili maintains uncompressed communication with C&C server, unlike zlib-compressed communication that was observed in likewise malware variants. Also, a new command was added to Fire Chili which informs C&C about current sessions on an infected machine. Also, some differences have been identified in CMD commands that are being hidden to avoid detection software that scans for CMD executions.

A previously undetected Fire Chili rootkit is also associated with the activity of another Chinese-backed hacking collective besides Deep Panda. This new strain of malware has a unique code base that differs from rootkits that were used by both these groups in previous attacks. It is possible that these two groups share the same C2 infrastructure and compromised certificates.

To streamline the detection of emerging and unknown threats, SOC teams can leverage the power of the collaborative cyber defense approach suggested by SOC Prime’s Detection as Code platform. Thousands of curated content items are being shared on a continuous basis by the world’s prominent security engineers making threat detection easier, faster, and more efficient.