SYMBOLCOMMON_NAMEaka. SYNONYMS
win.firechili (Back to overview)

Fire Chili

Actor(s): Shell Crew


The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).
According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

References
2022-04-01The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220401:chinese:0b445c6, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}}, date = {2022-04-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html}, language = {English}, urldate = {2022-04-04} } Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-30FortinetRotem Sde-Or, Eliran Voronovitch
@online{sdeor:20220330:new:8eeff0d, author = {Rotem Sde-Or and Eliran Voronovitch}, title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}}, date = {2022-03-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits}, language = {English}, urldate = {2022-03-31} } New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
Yara Rules
[TLP:WHITE] win_firechili_auto (20220516 | Detects win.firechili.)
rule win_firechili_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.firechili."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4983c608 83fe02 0f8250ffffff 4863f3 488d1d0e240000 660f1f440000 }
            // n = 6, score = 100
            //   4983c608             | cmp                 word ptr [eax + 8], cx
            //   83fe02               | ja                  0x2005
            //   0f8250ffffff         | js                  0x201b
            //   4863f3               | mov                 ecx, dword ptr [ebx + 0x30]
            //   488d1d0e240000       | xor                 eax, eax
            //   660f1f440000         | dec                 eax

        $sequence_1 = { eb1b 488b05???????? 498d7808 4863d2 488b18 4883c308 }
            // n = 6, score = 100
            //   eb1b                 | xor                 eax, eax
            //   488b05????????       |                     
            //   498d7808             | cmp                 ax, word ptr [esp + 0x28]
            //   4863d2               | je                  0x80
            //   488b18               | mov                 dl, 1
            //   4883c308             | dec                 eax

        $sequence_2 = { 41b001 488d4c2420 ff15???????? b901000000 400fb6df 84c0 0f45d9 }
            // n = 7, score = 100
            //   41b001               | xor                 al, al
            //   488d4c2420           | dec                 eax
            //   ff15????????         |                     
            //   b901000000           | mov                 ebx, dword ptr [esp + 0x60]
            //   400fb6df             | dec                 eax
            //   84c0                 | add                 esp, 0x50
            //   0f45d9               | dec                 eax

        $sequence_3 = { 49897b18 33c0 498943c8 498943d0 }
            // n = 4, score = 100
            //   49897b18             | xor                 edi, edi
            //   33c0                 | inc                 esp
            //   498943c8             | mov                 edx, edi
            //   498943d0             | dec                 eax

        $sequence_4 = { c3 b80d0000c0 4881c430020000 5b c3 48895c2408 }
            // n = 6, score = 100
            //   c3                   | dec                 eax
            //   b80d0000c0           | test                eax, eax
            //   4881c430020000       | je                  0x16b
            //   5b                   | inc                 esp
            //   c3                   | mov                 ecx, dword ptr [ebx + 0x48]
            //   48895c2408           | dec                 eax

        $sequence_5 = { 488b07 4885c0 7429 0f1f8000000000 483bc7 741d }
            // n = 6, score = 100
            //   488b07               | dec                 esp
            //   4885c0               | lea                 eax, [esp + 0x30]
            //   7429                 | dec                 eax
            //   0f1f8000000000       | mov                 ecx, ebx
            //   483bc7               | inc                 ecx
            //   741d                 | call                ecx

        $sequence_6 = { 488b4840 c74114b7660784 488d4c2450 ff15???????? 85c0 7913 488b4c2478 }
            // n = 7, score = 100
            //   488b4840             | dec                 eax
            //   c74114b7660784       | mov                 dword ptr [ebx + 0x38], ecx
            //   488d4c2450           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ebx + 0x40], eax
            //   7913                 | dec                 eax
            //   488b4c2478           | mov                 ecx, dword ptr [ebx + 0x48]

        $sequence_7 = { 7cf0 eb1b 488b05???????? 498d5808 4863d1 }
            // n = 5, score = 100
            //   7cf0                 | add                 edi, 8
            //   eb1b                 | cmp                 ebx, 1
            //   488b05????????       |                     
            //   498d5808             | jb                  0xfffffff5
            //   4863d1               | dec                 esp

        $sequence_8 = { 4d85c9 741e 4c8d842490000000 488bcf }
            // n = 4, score = 100
            //   4d85c9               | dec                 eax
            //   741e                 | mov                 dword ptr [eax], ecx
            //   4c8d842490000000     | dec                 eax
            //   488bcf               | mov                 ecx, dword ptr [ebx + 0x40]

        $sequence_9 = { 488bd8 488b7c2470 488bac24a8000000 488bce ff15???????? 488bc3 }
            // n = 6, score = 100
            //   488bd8               | je                  0x1212
            //   488b7c2470           | mov                 edx, 0x767473
            //   488bac24a8000000     | nop                 
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   488bc3               | lea                 ecx, [ebp + 0x40]

    condition:
        7 of them and filesize < 91136
}
Download all Yara Rules