Deep Panda, a Chinese advanced persistent threat, has been seen leveraging the Log4Shell vulnerability in VMware Horizon servers in order to install a backdoor and a unique rootkit on compromised devices in order to steal sensitive data.
"The nature of the targeting was opportunistic in the sense that several infections occurred on the same dates in several countries and various sectors," stated Rotem Sde-Or and Eliran Voronovitch, FortiGuard Labs researchers, in a paper released this week. "The victims' occupations include banking, academics, cosmetics, and travel."
According to Secureworks, Deep Panda, also known as Shell Crew, KungFu Kittens, and Bronze Firestone, has been active since at least 2010. Recent attacks "targeted law businesses for data exfiltration and technology suppliers for command-and-control infrastructure creation."
CrowdStrike identified the group as "one of the most advanced Chinese nation-state cyber incursion outfits" when it gave it the panda-themed name in July 2014.
The infection technique, according to Fortinet's current set of attacks, comprised the exploitation of the Log4j remote code execution issue (aka Log4Shell) in susceptible VMware Horizon servers to spawn a chain of intermediate stages, finally leading to the deployment of a backdoor codenamed Milestone ("1.dll").
Milestone is intended to transfer information about current system sessions to a remote server and is based on the released source code of the famed Gh0st RAT, but with significant variations in the command-and-control (C2) communication technique utilised.
During the attacks, a kernel rootkit known as "Fire Chili" was discovered. It is digitally signed with stolen certificates from game development companies, allowing it to avoid detection by security software and conceal malicious file operations, processes, registry key additions, and network connections.
.jpg)
"At this moment, it's unclear why these tools are associated with two distinct groups," the researchers stated. "It's probable that the developers from the two groups shared resources, such as stolen certificates and C2 infrastructure. This may explain why the samples were not signed for several hours after they were created."
The revelation adds to the increasing list of hacking groups who have used the Log4Shell vulnerability to attack VMware's virtualization platform.
CrowdStrike documented a failed campaign launched in December 2021 by an attacker known as Aquatic Panda that exploited the flaw to perform numerous post-exploitation operations on targeted computers, including reconnaissance and credential harvesting.
Several parties have already entered the fray, notably the Iranian TunnelVision gang, which has been observed actively abusing the Log4j logging library bug to infect unpatched VMware Horizon servers with ransomware.
Sophos has detailed a string of assaults against vulnerable Horizon servers that have been underway since January and have been carried out by threat actors in order to illicitly mine bitcoin, install PowerShell-based reverse shells, or remotely deliver additional payloads.
"Because of the nature of Log4Shell vulnerabilities, attempts to compromise Horizon servers are among the more targeted exploits," Sophos researchers explained, adding that "platforms such as Horizon are particularly appealing targets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and exploited with well-tested tools."
Please do not enter any spam link in the comment box.