The Chinese hacker group Deep Panda attacks VMware Horizon servers through the Log4Shell vulnerability and installs a new Fire Chili rootkit on them.
The rootkit is signed with a digital certificate from Frostburn Studios (video game developer) or Comodo, thanks to which it manages to avoid detection by antivirus software. Analysts of the Fortinet information security company, tracking the latest activity of Deep Panda, believe that the certificates were stolen from the aforementioned companies.
Deep Panda is a well–known APT group from China, specializing in cyber espionage for many years. In a recent Deep Panda campaign discovered by Fortinet specialists, a hacker group is deploying a new Fire Chili rootkit to bypass detection on a compromised system.
As a rule, rootkits are installed as drivers that capture various Windows APIs to hide the presence of other files and configuration settings on the operating system. A rootkit signed with a valid digital certificate allows you to bypass detection by security solutions and boot to Windows without triggering any security warnings.
After starting Fire, Chili performs basic testing of the system to make sure that it is not a virtual machine, and checks the kernel structures and objects that will then be used in the operation.
According to Fortinet, the most recent OS version supported by Fire Chili is Windows 10 Creators Update, which was released in 2017.