For example, in the CMD command, some variants first copy cmd.exe to dllhost.exe to avoid detection by security products that monitor CMD executions. “There are differences in commands as well. “Its C2 communication is uncompressed, unlike Gh0st RAT communication which is zlib-compressed,” said researchers. The code for this backdoor is based on the leaked source code of Gh0st RAT (a remote access trojan used by multiple threat actors to target Windows victims), and has similar capabilities overall, although researchers noted a few significant differences. Rotem Sde-Or, researcher with FortiGuard Labs, said the backdoor has been used in attacks since 2013, though this is the first time it has been publicly linked to intrusions leveraging Log4Shell. The latter was the case in the attacks by Deep Panda, which after exploitation downloaded a backdoor called “Milestone” by researchers. A recent analysis from Sophos, for instance, highlighted a slew of attacks against these vulnerable Horizon servers that have been ongoing since January and have been launched by threat actors to deploy cryptocurrency mining malware or to install backdoors. The attackers first achieved initial access through exploiting the Log4j flaw via vulnerable VMWare Horizon servers, which has been a common exploitation avenue for threat actors over the past months. “The victims belong to the financial, academic, cosmetics, and travel industries.” “The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,” said Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet’s FortiGuard Labs in an analysis this week. The use of the rootkit is new for the espionage group, which has been around since 2011. Upon further investigation into the campaign, researchers uncovered what they called the "Fire Chili" kernel rootkit, which was digitally signed with stolen certificates from game development companies. Over the last month, the Deep Panda Chinese APT group has been exploiting the Log4j flaw in order to deploy a backdoor and leverage a novel rootkit on infected machines, with the end goal of collecting sensitive data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |