Fire Chili Rootkit

The nefarious Chinese APT (Advanced Persistent Threat) group Deep Panda has been caught using a new, threatening addition to their arsenal. Named Fire Chili, the malware falls into the rootkit category and is aimed at infecting Windows systems. According to the report released by cybersecurity analysts, this rootkit is delivered to VMware Horizon servers via the Log4Shell exploit and is capable of affecting Windows versions up to Windows 10 Creators Update, which was released in April 2017.

Rootkits are extremely threatening types of malware, as they can burrow deep into the compromised systems and perform intrusive actions at the lowest level, thus bypassing numerous security checks and anti-malware measures. To avoid being detected by anti-virus tools during the initial infection, Fire Chili is equipped with valid digital certificates belonging to Frotburn Studios (a game developer company) or Comodo (a security software developer). The researchers believe that the certificates were misappropriated from their intended owners.

When initiated, Fire Chili performs a series of basic system tests in an attempt to detect signs of virtualization or sandbox environments. The threat also makes sure that the targeted kernel structures and objects are present in the system. The main goal of the malware is to keep the other intrusive actions of the hackers hidden. Fire Chili can mask file operations, processes, additions to the Registry system, and illegitimate network connections from being noticed by users or security software tools. It archives this by using IOCTLs (input/output control system calls) carrying the corrupted artifacts that can be dynamically configured by the threat actors.