Over the last month, the Deep Panda Chinese APT group has been exploiting the Log4j flaw in order to deploy a backdoor and leverage a novel rootkit on infected machines, with the end goal of collecting sensitive data.
Upon further investigation into the campaign, researchers uncovered what they called the "Fire Chili" kernel rootkit, which was digitally signed with stolen certificates from game development companies. The use of the rootkit is new for the espionage group, which has been around since 2011.
“The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,” said Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet’s FortiGuard Labs in an analysis this week. “The victims belong to the financial, academic, cosmetics, and travel industries.”
The attackers first achieved initial access through exploiting the Log4j flaw via vulnerable VMWare Horizon servers, which has been a common exploitation avenue for threat actors over the past months. A recent analysis from Sophos, for instance, highlighted a slew of attacks against these vulnerable Horizon servers that have been ongoing since January and have been launched by threat actors to deploy cryptocurrency mining malware or to install backdoors.
The latter was the case in the attacks by Deep Panda, which after exploitation downloaded a backdoor called “Milestone” by researchers. Rotem Sde-Or, researcher with FortiGuard Labs, said the backdoor has been used in attacks since 2013, though this is the first time it has been publicly linked to intrusions leveraging Log4Shell. The code for this backdoor is based on the leaked source code of Gh0st RAT (a remote access trojan used by multiple threat actors to target Windows victims), and has similar capabilities overall, although researchers noted a few significant differences.
“Its C2 communication is uncompressed, unlike Gh0st RAT communication which is zlib-compressed,” said researchers. “There are differences in commands as well. For example, in the CMD command, some variants first copy cmd.exe to dllhost.exe to avoid detection by security products that monitor CMD executions. Additionally, the backdoor supports a command that sends information about the current sessions on the system to the server. This command does not exist in the original Gh0st RAT source code.”
A Novel Kernel Rootkit
A dropper sample was also uncovered during the campaign that wrote different files to the disk, including a benign executable, a loader for the backdoor and a driver. Upon further investigation into the driver, researchers said that its purpose appears to be to hide and protect malicious artifacts from user-mode components.
“This includes four aspects: files, processes, registry keys and network connections. The driver has four global lists, one for each aspect, that contain the artifacts to hide," said researchers. "The driver’s IOCTLs [input/output control system calls] allow dynamic configuration of the lists through its control device \Device\crtsys. As such, the dropper uses these IOCTLs to hide the driver’s registry key, the loader and backdoor files, and the loader process.”
The rootkit started by checking the operating system version and whether or not the target machine is running in safe mode, where the operating system begins in diagnostic mode rather than in normal operating mode. Researchers said the rootkit operations used Direct Kernel Object Modification (DKOM), a common rootkit Windows technique utilized to hide potentially damaging third-party processes or files from the task manager and event scheduler.
“For this reason, it relies on specific OS builds as otherwise it may cause the infected machine to crash,” said researchers. "In general, the latest supported build is Windows 10 Creators Update (Redstone 2), released in April 2017.”
Rootkits, often installed as drivers, are a popular tool for attackers to obtain privileges to infected systems, as well as provide them with continual, hidden access. This specific rootkit had capabilities for hiding TCP connections from tools like netstate, hiding registry keys from users leveraging Microsoft’s Registry Editor and other varying mechanisms to hide processes or to prevent process termination.
Researchers also discovered that one of the rootkit's two compromised digital signatures was also used by another known Chinese APT group, Winnti, to sign some of their tools. Winnti, which has been around since at least 2010, is known to heavily target the gaming industry and has previously used rootkits to modify server functionalities, and used stolen certificates to sign its malware.
“Although both Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously affiliated with the groups,” said researchers.