SYMBOLCOMMON_NAMEaka. SYNONYMS
win.firechili (Back to overview)

Fire Chili

Actor(s): Shell Crew


The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).
According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

References
2022-04-01The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220401:chinese:0b445c6, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}}, date = {2022-04-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html}, language = {English}, urldate = {2022-04-04} } Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-30FortinetRotem Sde-Or, Eliran Voronovitch
@online{sdeor:20220330:new:8eeff0d, author = {Rotem Sde-Or and Eliran Voronovitch}, title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}}, date = {2022-03-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits}, language = {English}, urldate = {2022-03-31} } New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
Yara Rules
[TLP:WHITE] win_firechili_auto (20230125 | Detects win.firechili.)
rule win_firechili_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.firechili."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 482bf2 48d1ee 4803f2 48c1ee08 }
            // n = 4, score = 100
            //   482bf2               | xor                 eax, eax
            //   48d1ee               | dec                 ecx
            //   4803f2               | mov                 dword ptr [ebx - 0x38], eax
            //   48c1ee08             | inc                 ecx

        $sequence_1 = { 899c24c8000000 4c897c2450 85db 0f8824020000 488b5a70 4885db 0f8410020000 }
            // n = 7, score = 100
            //   899c24c8000000       | dec                 eax
            //   4c897c2450           | mov                 ecx, dword ptr [ebx]
            //   85db                 | mov                 edx, 0x767473
            //   0f8824020000         | dec                 eax
            //   488b5a70             | mov                 eax, dword ptr [ebx + 8]
            //   4885db               | je                  0x81
            //   0f8410020000         | mov                 dl, 1

        $sequence_2 = { 4c8b6b58 4c896c2448 48894c2438 4889442430 }
            // n = 4, score = 100
            //   4c8b6b58             | mov                 edx, dword ptr [eax]
            //   4c896c2448           | dec                 eax
            //   48894c2438           | mov                 dword ptr [esp + 0x20], edx
            //   4889442430           | inc                 ecx

        $sequence_3 = { 488b08 48890a ff15???????? b201 488d0d43510000 ff15???????? }
            // n = 6, score = 100
            //   488b08               | je                  0x1d66
            //   48890a               | dec                 eax
            //   ff15????????         |                     
            //   b201                 | mov                 ecx, eax
            //   488d0d43510000       | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 84c0 0f84ff000000 0fb77c2420 488b742428 8bc7 }
            // n = 5, score = 100
            //   84c0                 | xor                 esi, esi
            //   0f84ff000000         | dec                 eax
            //   0fb77c2420           | mov                 ebp, edx
            //   488b742428           | dec                 eax
            //   8bc7                 | mov                 esi, ecx

        $sequence_5 = { ba3f000f00 897d67 488d4d77 48897d77 48897d7f 48897d6f 48897d0f }
            // n = 7, score = 100
            //   ba3f000f00           | mov                 word ptr [esp + 0x40], si
            //   897d67               | jmp                 0x68
            //   488d4d77             | dec                 esp
            //   48897d77             | lea                 ecx, [ecx - 0x103]
            //   48897d7f             | jne                 8
            //   48897d6f             | dec                 eax
            //   48897d0f             | cmp                 ecx, 0x7ffffffe

        $sequence_6 = { 33db 4885c9 0f849d010000 488bd1 488d4c2430 ff15???????? 488d442430 }
            // n = 7, score = 100
            //   33db                 | dec                 eax
            //   4885c9               | mov                 ecx, dword ptr [ebx]
            //   0f849d010000         | mov                 edx, 0x767473
            //   488bd1               | dec                 eax
            //   488d4c2430           | mov                 eax, dword ptr [ebx + 8]
            //   ff15????????         |                     
            //   488d442430           | dec                 eax

        $sequence_7 = { 48894138 41807c241000 0f848d000000 4885c0 0f8484000000 4d8bc4 498bd7 }
            // n = 7, score = 100
            //   48894138             | jne                 0x11d8
            //   41807c241000         | dec                 esp
            //   0f848d000000         | mov                 eax, dword ptr [edx + 0xb8]
            //   4885c0               | inc                 ecx
            //   0f8484000000         | cmp                 byte ptr [eax], 0xe
            //   4d8bc4               | inc                 ecx
            //   498bd7               | mov                 edx, dword ptr [eax + 0x18]

        $sequence_8 = { 7474 480fbfc7 4533c9 48d1e8 66896e02 4c8b4308 }
            // n = 6, score = 100
            //   7474                 | dec                 eax
            //   480fbfc7             | add                 esp, 0x230
            //   4533c9               | dec                 eax
            //   48d1e8               | test                eax, eax
            //   66896e02             | je                  0x1474
            //   4c8b4308             | dec                 eax

        $sequence_9 = { 488b4d7f 488bbc2488000000 4885c9 7406 ff15???????? 8bc3 4881c498000000 }
            // n = 7, score = 100
            //   488b4d7f             | dec                 eax
            //   488bbc2488000000     | mov                 edx, dword ptr [edx + 0x10]
            //   4885c9               | dec                 esp
            //   7406                 | lea                 eax, [esp + 0x50]
            //   ff15????????         |                     
            //   8bc3                 | dec                 ecx
            //   4881c498000000       | mov                 ecx, dword ptr [edx + 8]

    condition:
        7 of them and filesize < 91136
}
Download all Yara Rules