SYMBOLCOMMON_NAMEaka. SYNONYMS
win.firechili (Back to overview)

Fire Chili

Actor(s): Shell Crew


The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections).
According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

References
2022-04-01The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220401:chinese:0b445c6, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}}, date = {2022-04-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html}, language = {English}, urldate = {2022-04-04} } Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-30FortinetRotem Sde-Or, Eliran Voronovitch
@online{sdeor:20220330:new:8eeff0d, author = {Rotem Sde-Or and Eliran Voronovitch}, title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}}, date = {2022-03-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits}, language = {English}, urldate = {2022-03-31} } New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
Yara Rules
[TLP:WHITE] win_firechili_auto (20230715 | Detects win.firechili.)
rule win_firechili_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.firechili."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c9 7876 4881fbfeffff7f 7610 b80d0000c0 488b5c2408 }
            // n = 6, score = 100
            //   85c9                 | dec                 esp
            //   7876                 | lea                 ecx, [esp + 0x2a8]
            //   4881fbfeffff7f       | mov                 ebx, eax
            //   7610                 | test                eax, eax
            //   b80d0000c0           | js                  0x162a
            //   488b5c2408           | dec                 eax

        $sequence_1 = { ff15???????? ff15???????? 4885ff 7428 4c3bf3 7442 85ed }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4885ff               | lea                 ecx, [ebp - 9]
            //   7428                 | mov                 ebx, eax
            //   4c3bf3               | test                eax, eax
            //   7442                 | js                  0x616
            //   85ed                 | dec                 eax

        $sequence_2 = { c684249800000000 4c8bf3 498bdc 85ed 7435 488b842488000000 }
            // n = 6, score = 100
            //   c684249800000000     | mov                 edx, dword ptr [edx + 0x10]
            //   4c8bf3               | dec                 esp
            //   498bdc               | lea                 eax, [esp + 0x50]
            //   85ed                 | dec                 ecx
            //   7435                 | mov                 ecx, dword ptr [edx + 8]
            //   488b842488000000     | test                eax, eax

        $sequence_3 = { 400fb6ff 488d4c2420 84c0 410f45ff ff15???????? 4084ff 750e }
            // n = 7, score = 100
            //   400fb6ff             | dec                 eax
            //   488d4c2420           | cmp                 eax, 0x210
            //   84c0                 | je                  0x7c7
            //   410f45ff             | mov                 eax, 4
            //   ff15????????         |                     
            //   4084ff               | dec                 eax
            //   750e                 | lea                 edi, [edi + 0x80]

        $sequence_4 = { 48895c2430 488b9ab8000000 4885db 0f8496000000 817b181b001200 }
            // n = 5, score = 100
            //   48895c2430           | mov                 dword ptr [esp + 0x28], 0x26
            //   488b9ab8000000       | inc                 ebp
            //   4885db               | xor                 eax, eax
            //   0f8496000000         | dec                 eax
            //   817b181b001200       | mov                 dword ptr [esp + 0x20], esi

        $sequence_5 = { 0f11459f ff15???????? 488d4d17 ff15???????? 4885c0 7413 488d5567 }
            // n = 7, score = 100
            //   0f11459f             | jl                  0x15d3
            //   ff15????????         |                     
            //   488d4d17             | dec                 ebp
            //   ff15????????         |                     
            //   4885c0               | test                ecx, ecx
            //   7413                 | je                  0x15e1
            //   488d5567             | dec                 esp

        $sequence_6 = { 7c22 4c8b0d???????? 4d85c9 740d 4c8d442430 488bcb 41ffd1 }
            // n = 7, score = 100
            //   7c22                 | dec                 eax
            //   4c8b0d????????       |                     
            //   4d85c9               | mov                 edi, dword ptr [esp + 0x10]
            //   740d                 | ret                 
            //   4c8d442430           | dec                 eax
            //   488bcb               | mov                 ebx, dword ptr [esp + 8]
            //   41ffd1               | mov                 word ptr [esi], di

        $sequence_7 = { 8b03 4889442440 4885f6 780a 488d4c2420 e8???????? }
            // n = 6, score = 100
            //   8b03                 | add                 esp, 0x230
            //   4889442440           | pop                 ebx
            //   4885f6               | dec                 eax
            //   780a                 | test                ebx, ebx
            //   488d4c2420           | je                  0x17f1
            //   e8????????           |                     

        $sequence_8 = { 664585db 750c 410fb7d0 488bcb 48d1ea eb05 b80d0000c0 }
            // n = 7, score = 100
            //   664585db             | dec                 eax
            //   750c                 | test                ebp, ebp
            //   410fb7d0             | je                  0x7cc
            //   488bcb               | mov                 edx, 0x767473
            //   48d1ea               | dec                 esp
            //   eb05                 | mov                 dword ptr [esp + 0x30], esi
            //   b80d0000c0           | inc                 ebp

        $sequence_9 = { 4c89742438 4533f6 90 483bde 742d 488b07 }
            // n = 6, score = 100
            //   4c89742438           | cmp                 ecx, 1
            //   4533f6               | jne                 0xe5e
            //   90                   | dec                 eax
            //   483bde               | mov                 edi, dword ptr [edx + 0x20]
            //   742d                 | dec                 eax
            //   488b07               | test                edi, edi

    condition:
        7 of them and filesize < 91136
}
Download all Yara Rules