{"id":18631,"date":"2022-03-30T12:40:06","date_gmt":"2022-03-30T20:40:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/30\/news-12364\/"},"modified":"2022-03-30T12:40:06","modified_gmt":"2022-03-30T20:40:06","slug":"news-12364","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/30\/news-12364\/","title":{"rendered":"New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Research<\/h2>\n

Affected Platforms: <\/b>Windows
Impacted Users: <\/b>Windows Users
Impact: <\/b>Collects sensitive information from victim machines
Severity Level:<\/b> Critical <\/p>\n

During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell<\/a> vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates. The victims belong to the financial, academic, cosmetics, and travel industries.<\/p>\n

Following exploitation, Deep Panda deployed a backdoor on the infected machines. Following forensic leads from the backdoor led us to discover a novel kernel rootkit signed with a stolen digital certificate. We found that the same certificate was also used by another Chinese APT group, named Winnti, to sign some of their tools.<\/p>\n

In this blog, we share our analysis of the flow of infection, the backdoor, and new rootkit, along with our attribution of this campaign to these Chinese nation-state threat actors.<\/p>\n

Chain of Attack<\/h2>\n

While examining customer alerts and telemetry, we noticed several infiltrations into victim networks that were achieved via a Log4Shell exploitation of vulnerable VMware Horizon servers. These attacks spawned a new PowerShell process to download and execute a chain of scripts that ended with the installation of a malicious DLL.\u00a0<\/p>\n<\/p><\/div>\n