The Chinese-speaking threat group known as Deep Panda was spotted by researchers targeting the VMware Horizon servers with the Log4Shell critical vulnerability. Based on reports, the attacks of Deep Panda utilise a malicious novel rootkit dubbed by researchers as Fire Chili.
According to the researchers, utilising the Fire Chili rootkit is relatively new to the group’s threat campaigns. Moreover, the threat actors sign the rootkit digitally with stolen certificates from two undisclosed studios to remain undetected.
The objective behind these campaigns of the Deep Panda threat group seems to be for cyberespionage or supply chain disruptions where they steal sensitive information from their targets.
Deep Panda using the Fire Chili rootkit further proves the assumptions of researchers that they want to disrupt government operations.
The Fire Chili rootkit aids the Deep Panda threat group in registry key additions, processes, and file operations. The rootkit also conceals network connections from the users and security software operating on the compromised devices.
Upon launching, Fire Chili conducts several standard tests to double-check if it is not operating in a simulated domain to ensure that it can evade any analysis from security researchers. The preliminary trials also provide the hackers’ rootkit to exploit the kernel objects/structures during the actual attack commences.
On the brighter side of things, the only supported operating system version of the Fire Chili rootkit is Windows 10 creators Update which Windows developers released in April 2017. The rootkit utilises the dynamically configurable input/output control system calls (IOCTLs).
Some researchers claimed that the group’s recent attacks connect with another threat group since some of the methods used by the group overlap with the Winnti threat group. Winnti is a China-based threat group notorious for exploiting digitally signed certificates.
The Deep Panda group has been highly active these past few months, and they now even use a Windows-based rootkit such as Fire Chili. The rootkit can be threatening for many users as it uses a unique code base, not similar to past affiliated tools with the threat group. This analysis implies that its developers are aiming to upgrade their abilities.