Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit to compromise VMware Horizon servers and deploy previously undetected Fire Chili rootkit.
The experts observed opportunistic attacks against organizations in several countries and various sectors. The targeted organizations operate in the financial, academic, cosmetics, and travel industries.
The kernel rootkit employed by the threat actors is signed with a stolen digital certificate, which is the same certificate used by the Winnti cyberespionage group.
“As part of our research, we have collected four driver samples — two pairs of 32-bit and 64-bit samples. One pair was compiled in early August 2017 and the second pair was compiled ten days later.” reads the analysis published by Fortinet. “All four driver samples are digitally signed with stolen certificates from game development companies, either the US-based Frostburn Studios or the Korean 433CCR Company (433씨씨알 주식회사).”
The Fire Chili rootkit performs basic system tests to ensure it’s not running on a simulated environment and checks that the kernel structures and objects to be abused during operation are present.
Upon launching the rootkit, it performs some checks to avoid running in a virtualized environment and uses Direct Kernel Object Modification (DKOM) for its operations. For this reason, the rootkit relies on specific OS builds as otherwise it may cause the infected machine to crash. The latest supported build is Windows 10 Creators Update (Redstone 2), which was released in April 2017.
The malware uses IOCTLs (input/output control system calls) to hide the driver’s registry key, the loader and backdoor files, and the loader process.
“The purpose of the driver is to hide and protect malicious artifacts from user-mode components. This includes four aspects: files, processes, registry keys and network connections. The driver has four global lists, one for each aspect, that contain the artifacts to hide.” continues the report. “The driver’s IOCTLs allow dynamic configuration of the lists through its control device \Device\crtsys. As such, the dropper uses these IOCTLs to hide the driver’s registry key, the loader and backdoor files, and the loader process.”
The rootkit implements a filesystem minifilter using code based on Microsoft’s official driver code samples and uses two mechanisms to preventing process termination and hide process respectively.
The malware uses a code based on an open-source project published by a Chinese developer to hide registry keys from users using Microsoft’s Registry Editor.
The Fire Chili rootkit is also able of hiding TCP connections from tools such as netstat borrowing code for this feature from another open-source project.
The group “Deep Panda” is a well-known APT that during the past years has targeted defense, financial and other industries in the US. The group employed many zero-day exploits to spread different malware, including the popular Poison Ivy.
“we introduced the previously unknown Fire Chili rootkit and two compromised digital signatures, one of which we also directly linked to Winnti. Although both Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously affiliated with the groups.” concludes the report. “The reason these tools are linked to two different groups is unclear at this time. It’s possible that the groups’ developers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain why the samples were only signed several hours after being compiled.”
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Deep Panda)