September 28, 2022

TheCyberThrone

Thinking Security ! Always

Deep Panda Uses Fire Chili Exploits VMware Horizon

Deep Panda, a Chinese hacker gang, is targeting VMware Horizon servers with the Log4Shell vulnerability in order to install a unique rootkit known as Fire Chili

The rootkit is digitally certified with a certificate from Frostburn Studios or Comodo, it will not be detected by antivirus software.

Advertisements

Fortinet recently discovered that the hacker gang Deep Panda is installing the new “Fire Chili” rootkit in order to prevent detection on infected computers.

A legitimate digital certificate is used to sign the rootkit, which allows it to avoid detection by security tools and load into Windows without displaying any warnings.

Advertisements

As soon as ‘Fire Chili’ is launched, it conducts a series of fundamental system tests to verify that it is not executing in a simulated environment and that the kernel structures and objects that will be exploited during operation are available.

According to Fortinet, the most current supported operating system version for ‘Fire Chili’ is the Windows 10 Creators Update.

In order to keep harmful network connections and file activities concealed from the user and any security software that may be operating on the compromised system, the rootkit creates registry keys and performs file operations on the infected machine.

This function is performed by the malware via the use of IOCTLs (input/output control system calls), which are pre-populated with harmful artifacts and could be dynamically reconfigured by the virus.

Advertisements

Deep Panda is a sophisticated chinese threat actor targetting entities from below sectors

  • Military
  • Government
  • Banking
  • Telecommunications

Indicators of Compromise

ece45c25d47ba362d542cd0427775e68396bbbd72fef39823826690b82216c69

517c1baf108461c975e988f3e89d4e95a92a40bd1268cdac385951af791947ba

a573a413cbb1694d985376788d42ab2b342e6ce94dd1599602b73f5cca695d8f

d005a8cf301819a46ecbb1d1e5db0bf87951808d141ada5e13ffc4b68155a112

69c69d71a7e334f8ef9d47e7b32d701a0ecd22ce79e0c11dabbc837c9e0fedc2

9eeec764e77bec58d366c2efc3817ed56371e4b308e94ad04a6d6307f2e12eda

07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47

dfd2409f2b0f403e82252b48a84ff4d7bc3ebc1392226a9a067adc4791a26ee7

c0a2a3708516a321ad2fd68400bef6a3b302af54d6533b5cce6c67b4e13b87d3

f8b581393849be5fc4cea22a9ab6849295d9230a429822ceb4b8ee12b1d24683

14930488158df5fca4cba80b1089f41dc296e19bebf41e2ff6e5b32770ac0f1e

a9fa8e8609872cdcea241e3aab726b02b124c82de4c77ad3c3722d7c6b93b9b5

e92d4e58dfae7c1aadeef42056d5e2e5002814ee3b9b5ab1a48229bf00f3ade6

855449914f8ecd7371bf9e155f9a97969fee0655db5cf9418583e1d98f1adf14

a5fd7e68970e79f1a5514630928fde1ef9f2da197a12a57049dece9c7451ed7b

f5eb8949e39c8d3d70ff654a004bc8388eb0dd13ccb9d9958fd25aee47c1d3ae

64255ff02e774588995b203d556c9fa9e2c22a978aec02ff7dea372983b47d38

b598cb6ba7c99dcf6040f7073fe313e648db9dd2f6e71cba89790cc45c8c9026

2d252c51a29f86032421df82524c6161c7a63876c4dc20faffa47929ec8a9d60

2de6fb71c1d5ba0cd8d321546c04eaddddbf4a00ce4ef6ca6b7974a2a734a147

bd5d730bd204abaddc8db55900f307ff62eaf71c0dc30cebad403f7ce2737b5c

412464b25bf136c3780aff5a5a67d9390a0d6a6f852aea0957263fc41e266c8b

0d096d983d013897dbe69f3dae54a5f2ada8090b886ab68b74aa18277de03052

cfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f

a71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc

235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614

e1a51320c982179affb26f417fbbba7e259f819a2721ab9eb0f6d665b6ea1625

d1be98177f8ae2c64659396277e7d5c8b7dba662867697feb35282149e3f3cbb

ab3470a45ec0185ca1f31291f69282c4a188a46e

10de515de5c970385cd946dfda334bc10a7b2d65

eb231f08cce1de3e0b10b69d597b865a7ebac4b3

66c3dfcb2cc0dfb60e40115e08fc293276e915c2536de9ed6a374481279b852b

73640e8984ad5e5d9a1fd3eee39ccb4cc695c9e3f109b2479296d973a5a494b6

7777bd2bdeff2fd34a745c350659ee24e330b01bcd2ee56d801d5fc2aceb858c

8bf4e301538805b98bdf09fb73e3e370276a252d132e712eae143ab58899763e

18b2e1c52d0245824a5bac2182de38efb3f82399b573063703c0a64252a5c949

d5c1a2ca8d544bedb0d1523db8eeb33f0b065966f451604ff4715f600994bc47

0939b68af0c8ee28ed66e2d4f7ee6352c06bda336ccc43775fb6be31541c6057

0595a719e7ffa77f17ac254134dba2c3e47d8c9c3968cda69c59c6b021421645

7782fdc84772c6c5c505098707ced6a17e74311fd5c2e2622fbc629b4df1d798

18751e47648e0713345552d47752209cbae50fac07895fc7dd1363bbb089a10b

e4e4ff9ee61a1d42dbc1ddf9b87223393c5fbb5d3a3b849b4ea7a1ddf8acd87b

395dbe0f7f90f0ad55e8fb894d19a7cc75305a3d7c159ac6a0929921726069c1

befc197bceb3bd14f44d86ff41967f4e4c6412604ec67de481a5e226f8be0b37

1c617fd9dfc068454e94a778f2baec389f534ce0faf786c7e24db7e10093e4fb

bde7b9832a8b2ed6d33eb33dae7c5222581a0163c1672d348b0444b516690f09

8b88fe32bd38c3415115592cc028ddaa66dbf3fe024352f9bd16aed60fd5da3e

ba763935528bdb0cc6d998747a17ae92783e5e8451a16569bc053379b1263385

9908cb217080085e3467f5cedeef26a10aaa13a1b0c6ce2825a0c4912811d584

c6bcde5e8185fa9317c17156405c9e2c1f1887d165f81e31e24976411af95722

3403923f1a151466a81c2c7a1fda617b7fbb43b1b8b0325e26e30ed06b6eb936

9BCD82563C72E6F72ADFF76BD8C6940C6037516A

2A89C5FD0C23B8AF622F0E91939B486E9DB7FAEF

192.95.36[.]61

vpn2.smi1egate[.]com

svn1.smi1egate[.]com

giga.gnisoft[.]com

104.223.34[.]198

103.224.80[.]76

hxxp://104.223.34[.]198/111.php

hxxp://104.223.34[.]198/1dll.php

hxxp://104.223.34[.]198/syn.php

hxxp://104.223.34[.]198/p.txt

%d bloggers like this: