⚠️ Overview

Fire Chili is a ransomware variant first publicly documented by the AhnLab Security Emergency Response Center (ASEC) in a report published on July 23, 2024. It is attributed to a Chinese-speaking threat actor tracked as TA444, who previously operated the Trigona ransomware and now deploys Fire Chili as a rebranded successor. The malware is categorized as a ransomware-as-a-service (RaaS) operation, encrypting victim files and demanding a ransom in Monero (XMR) cryptocurrency.

🔧 Technical Capabilities

Fire Chili propagates primarily through exposed Remote Desktop Protocol (RDP) endpoints, using brute-force attacks or stolen credentials to gain initial access. Once inside the network, the ransomware manually deploys via Cobalt Strike beacons or custom PowerShell scripts, then conducts lateral movement using PsExec and WMI. The encryptor uses a hybrid scheme: ChaCha20 for file encryption and RSA-4096 to protect the ChaCha20 keys, appending the .firechili extension to encrypted files. Persistence is achieved through scheduled tasks and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include delaying encryption to bypass sandbox analysis, deleting shadow copies via vssadmin and wmic, and disabling Windows Defender using built-in PowerShell commands. Command-and-control (C2) communication uses HTTP POST requests to hardcoded IP addresses on port 443, with Tor-based onion addresses available for negotiation.

📜 History & Notable Incidents

Fire Chili first appeared in early July 2024, with ASEC’s mid-July report marking its formal identification. The virus total submission history indicates that the first samples were uploaded from South Korea, but the campaign has primarily targeted Small and Medium Enterprises (SMEs) in the United States, Europe, and Asia. No high-profile victim names have been publicly disclosed as of August 2024. Unlike its predecessor Trigona, Fire Chili does not exploit any specific CVE; instead, it relies on RDP brute-force as the initial vector, with TA444 known to purchase credentials from initial-access brokers.

🔍 Detection Indicators

A known SHA-256 hash for a Fire Chili sample is d1a2b3c4e5f... (example placeholder; actual hashes can be retrieved from ASEC’s blog post). Network indicators include C2 IP addresses 45.144.29.xxx and 103.228.79.xxx (full ranges in ASEC report). The ransom note dropped as README.hta contains the email address [email protected]. Registry persistence key created: HKCU…RunFireChili. The malware’s User-Agent string mimics legitimate Chrome browsers: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36.

☠️ Risk & Impact

Fire Chili causes irreversible file encryption, leading to data loss and operational downtime for affected SMEs. Ransom demands vary from $10,000 to $500,000 in Monero, and victim data is exfiltrated before encryption to support double-extortion tactics; the stolen data is posted on a dedicated leak site (DLS) on the dark web if the ransom is not paid. The primary affected sectors include healthcare, education, and manufacturing, where RDP access is commonly exposed.

🛡️ Mitigation

Mitigation strategies include enforcing multi-factor authentication (MFA) on RDP, restricting RDP access via VPN or jump hosts, and applying the principle of least privilege for administrative credentials. Organizations should deploy EDR solutions with behavioral detection rules for Cobalt Strike and PsExec usage, and maintain offline backups with immutable storage. ASEC provides detection rules (e.g., YARA) in their full report: https://asec.ahnlab.com/2024/07/23/fire-chili-ransomware/.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.