Deep Panda Hacking Group Is Targeting VMware Horizon Servers
The Threat Actors Are Trying to Install an Unique Rootkit Known as ‘Fire Chili’.
In addition to the government, military, banking, and telecommunications sectors, Deep Panda is a suspected Chinese threat organization that has been known to target a wide range of businesses.
Deep Panda is being held responsible for the infiltration into Anthem, a healthcare corporation. Shell Crew, WebMasters, KungFu Kittens, and PinkPanther are some of the other names for this organization.
Based on the attribution of both group names to the Anthem intrusion, Deep Panda seems to be known as Black Vine as well as Deep Panda. Some researchers believe Deep Panda and APT19 are the same organization, however, it is unclear based on publicly available evidence if the two groups are related.
Deep Panda, a Chinese hacker gang, is targeting VMware Horizon servers with the Log4Shell vulnerability in order to install a unique rootkit known as ‘Fire Chili,’ according to security researchers.
Because the rootkit is digitally certified with a certificate from Frostburn Studios (a game developer) or Comodo (a security software company), it will not be detected by antivirus software.
Fortinet recently discovered that the hacker gang Deep Panda is installing the new “Fire Chili” rootkit in order to prevent detection on infected computers.
During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates. The victims belong to the financial, academic, cosmetics, and travel industries.
Following exploitation, Deep Panda deployed a backdoor on the infected machines. Following forensic leads from the backdoor led us to discover a novel kernel rootkit signed with a stolen digital certificate. We found that the same certificate was also used by another Chinese APT group, named Winnti, to sign some of their tools.
In this blog, we share our analysis of the flow of infection, the backdoor, and new rootkit, along with our attribution of this campaign to these Chinese nation-state threat actors.
A rootkit is malware that is often deployed as a driver that hooks several Windows APIs in order to conceal the existence of other files and configuration settings in the operating system. Rootkits are particularly dangerous because they may compromise the security of a computer system. Using hooks into Windows programming functions, for example, a rootkit may filter data so that harmful file names, processes, and Registry keys APIs are not shown to Windows applications that are seeking the information.
A legitimate digital certificate is used to sign the rootkit, which allows it to avoid detection by security tools and load into Windows without displaying any warnings.
As soon as ‘Fire Chili’ is launched, it conducts a series of fundamental system tests to verify that it is not executing in a simulated environment and that the kernel structures and objects that will be exploited during operation are available.
As BleepingComputer reports, according to Fortinet, the most current supported operating system version for ‘Fire Chili’ is the Windows 10 Creators Update.
In order to keep harmful network connections and file activities concealed from the user and any security software that may be operating on the compromised system, the rootkit creates registry keys and performs file operations on the infected machine.
This function is performed by the malware via the use of IOCTLs (input/output control system calls), which are pre-populated with harmful artifacts and could be dynamically reconfigured by the virus.