[German]Security researchers from Fortinet have come across a malware campaign that they attribute to the Chinese APT group Deep Panda. The malware uses the Log4Shell vulnerability in VMware Horizon servers to exploit. A backdoor and a new type of rootkit is installed on the infected machines. Here are some notes on the details of this threat.
Advertising
I became aware of the situation via the following tweet, which Fortinet describes in the article New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits.
The campaign by Deep Panda, a Chinese APT group, was already discovered by FortiEDR last month. The group exploited the Log4Shell vulnerability in VMware Horizon servers. The victims come from the finance, higher education, cosmetics and travel industries. The infections are spread across different countries.
Via Log4Shell to a backdoor
After infecting the VMware Horizon server via the Log4Shell vulnerability, Deep Panda deployed a backdoor on the infected computers. Forensic traces of the backdoor led to the discovery of a novel kernel rootkit. This is signed with a stolen digital certificate. The security researchers found that the same certificate was also used by another Chinese APT group called Winnti to sign some of their tools.
The campaign executes the attacks via a new PowerShell process. An encrypted PowerShell command downloads and executes another PowerShell script from a remote server. It then attempts to download and execute a chain of scripts. The whole thing ends with the installation of a malicious DLL (see above diagram in tweet).
Advertising
The file 1.dll is the last payload to be downloaded and installed. This is a backdoor that security researchers have named Milestone. Its code is based on the leaked source code of Gh0st RAT/Netbot Attacker and is packed with Themida.
The backdoor copies itself to %APPDATA%\newdev.dll and creates a service called msupdate2 by creating the service entry directly in the registry. Several other service names and descriptions were observed in various samples.
Overall, the backdoor has similar capabilities to Gh0st RAT. The difference, however, is that the backdoor handles its C2 communication uncompressed, unlike Gh0st RAT communication, which is zlib-compressed. There are also differences in the C2 commands. For the CMD command, for example, some variants first copy cmd.exe to dllhost.exe to avoid detection by security products that monitor CMD executions. In addition, the backdoor supports a command that sends information about the current sessions on the system to the server. This command is not included in the original source code of Gh0st RAT
Fire Chili Rootkit
When evaluating infections, the security researchers also came across a Fire Chili rootkit that was signed with a stolen certificate. The various examples of this rootkit are currently barely detected by Virustotal (1 virus scanner hits). The rootkit first makes sure that the victim's computer is not in safe mode. Then it checks the version of the operating system.
The rootkit uses Direct Kernel Object Modification (DKOM), which uses undocumented kernel structures and objects for its operations. For this reason, it relies on certain operating system builds, otherwise it can cause the infected computer to crash. In general, the latest supported build is the Windows 10 Creators Update (Redstone 2), which was released in April 2017.
The purpose of the driver is to hide and protect malicious artefacts from user mode components. This includes four aspects: Files, Processes, Registry Keys and Network Connections. The driver has four global lists, one for each aspect, containing the artefacts to be hidden. The driver's IOCTLs allow dynamic configuration of the lists via the control device \Device\crtsys. The dropper uses these IOCTLs to hide the driver's registry key, loader and backdoor files, and loader process. The details of the infection and behaviour can be found in the Fortinet post New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits.
