Vulnerable VMware Horizon servers targeted by novel Fire Chili rootkit

BleepingComputer reports that VMware Horizon servers vulnerable to Log4Shell are being targeted by Chinese advanced persistent threat group Deep Panda to distribute the novel Fire Chili rootkit. Fortinet researchers discovered that Deep Panda has been deploying Fire Chili, which has been signed with certificates either from game developer Frostburn Studios or security software Comodo, to bypass antivirus systems. Launching the rootkit prompts the execution of basic system tests to evaluate kernel structures and ensure its absence in a simulated environment. Fire Chili then works to conceal file operations, processes, malicious network connections, and registry key additions from the user with the use of input/output control system calls. The report also found that the Deep Panda campaign had significant similarities with the Chinese hacking group Winnti. "The reason these tools are linked to two different groups is unclear at this time. It's possible that the groups' developers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain why the samples were only signed several hours after being compiled," said Fortinet.