Threat Research

New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits

Securonix

FortiEDR detected a Deep Panda operation exploiting the Log4Shell flaw in VMware Horizon servers, resulting in opportunistic infections across multiple sectors and countries. The campaign introduced a backdoor called Milestone and a novel kernel rootkit named Fire Chili, with overlaps to Winnti through stolen signing certificates. #DeepPanda #Log4Shell #VMwareHorizon #FireChiliRootkit #Milestone #Winnti #Gh0stRAT

Keypoints

  • Deep Panda conducted opportunistic Log4Shell exploitation of VMware Horizon servers, affecting victims in finance, academia, cosmetics, and travel across several countries.
  • The attack flow includes a PowerShell-based downloader that fetches and executes additional payloads, culminating in a malicious DLL.
  • A backdoor named Milestone was dropped, with variants dating to 2016 and 2017; 2017 samples are typically packed with Themida and show forged timestamps.
  • The Milestone dropper and loader implement XOR encryption and LZMA compression, and the loader patches its .data section with configuration data.
  • The Milestone backdoor is linked to Gh0st RAT lineage, sharing code modifications and commands, including session enumeration and admin execution capabilities.
  • Fire Chili is a kernel rootkit signed with stolen certificates from Frostburn Studios or 433CCR, capable of hiding files, processes, registry keys, and network connections via a DKOM-based driver.
  • Fortinet attributes some artifacts to Winnti, noting shared certificate usage and C2 infrastructure, and Fortinet provides protection via FortiEDR and FortiGuard with real-time sharing through the Cyber Threat Alliance.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The campaign exploited the Log4Shell vulnerability in VMware Horizon servers. “the group exploited the infamous Log4Shell vulnerability in VMware Horizon servers.”
  • [T1569.002] System Services: Service Execution – A service entry is created to run the dropper/backdoor. “creates a service entry directly in the registry.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – A new PowerShell process downloads and executes a chain of scripts. “spawned a new PowerShell process to download and execute a chain of scripts.”
  • [T1592] Gather Victim Host Information – The backdoor can send information about the current sessions on the system to the server. “a command that sends information about the current sessions on the system to the server.”
  • [T1082] System Information Discovery – The campaign collects sensitive information from victim machines. “Collects sensitive information from victim machines.”
  • [T1036] Masquerading – Service names/descriptions vary; multiple samples observed. “Several other service names and descriptions have been observed among different samples.”
  • [T1083] File and Directory Discovery – The rootkit hides files and manipulates file listings via a minifilter/IOCTL setup. “Hide file” (via IOCTL entries) and related file-list management are described in the rootkit’s capabilities.
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – References to cmd.exe usage for execution flow. “first copy cmd.exe to dllhost.exe to avoid detection by security products that monitor CMD executions.”
  • [T1592] Gather Victim Host Information – The backdoor can enumerate sessions and system state. “the command that sends information about the current sessions on the system to the server.”
  • [T1588.003] Obtain Capabilities: Code Signing Certificates – The rootkit and related components are signed with stolen certificates. “digitally signed with stolen certificates from game development companies.”
  • [T1014] Rootkit – The Fire Chili rootkit employs kernel techniques to hide artifacts and protect malicious activity. “Rootkit” (as described in attribution and rootkit sections).
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The downloader uses DLL side-loading to load 1.dll via syn.exe. “loads its first command-line argument using LoadLibrary, in this case, 1.dll.”
  • [T1620] Reflective Code Loading – The loader reflectively loads the Milestone backdoor and calls its exports. “reflectively loads the Milestone backdoor and calls its exports.”
  • [T1113] Screen Capture – The Gh0st RAT lineage includes screen capture functionality. “screen capture functions.” (as part of Gh0st RAT modifications)

Indicators of Compromise

  • [SHA256] Backdoor – ece45c25d47ba362d542cd0427775e68396bbbd72fef39823826690b82216c69, 517c1baf108461c975e988f3e89d4e95a92a40bd1268cdac385951af791947ba
  • [SHA1] Backdoor – ab3470a45ec0185ca1f31291f69282c4a188a46e
  • [Certificate thumbprint] – 9BCD82563C72E6F72ADFF76BD8C6940C6037516A, 2A89C5FD0C23B8AF622F0E91939B486E9DB7FAEF
  • [Network] – 192.95.36[.]61, and gnisoft[.]com (and related gnisoft infrastructure used as C2)
  • [Network] – gigа.gnisoft[.]com, 104.223.34[.]198, hxxp://104.223.34[.]198/111.php (C2-related domains/IPs)
  • [File name] – %APPDATA%syn.exe, %APPDATA%newdev.dll
  • [File name] – crtsys.sys (driver file)
  • [File name] – winmm.dll (malicious DLL uploader referenced in Winnti context)
  • [Service name] – msupdate2, WebService, msupdate
  • [Driver] – crtsys.sys (signed kernel driver)

Read more: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits